mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-07 18:17:22 +00:00
Merge branch 'main' into repo_sync_working_branch
This commit is contained in:
Angela Fleischmann
GitHub
commit
9d5b459ea0
@ -11,6 +11,7 @@ ms.reviewer: pesmith
|
||||
appliesto:
|
||||
- ✅ <b>Windows 10</b>
|
||||
- ✅ <b>Windows 11</b>
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# VPN security features
|
||||
|
||||
@ -12,6 +12,7 @@ ms.date: 04/19/2017
|
||||
appliesto:
|
||||
- ✅ <b>Windows 10</b>
|
||||
- ✅ <b>Windows 11</b>
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Windows Credential Theft Mitigation Guide Abstract
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Boot Configuration Data settings and BitLocker
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker basic deployment
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker Countermeasures
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 05/20/2021
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker deployment comparison
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/10/2022
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Overview of BitLocker Device Encryption in Windows
|
||||
|
||||
@ -13,6 +13,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/17/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker group policy settings
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker: How to deploy on Windows Server 2012 and later
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker: How to enable network unlock
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker management for enterprises
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 01/26/2018
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 10/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Breaking out of a BitLocker recovery loop
|
||||
|
||||
@ -13,6 +13,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
|
||||
@ -29,7 +30,7 @@ BitLocker Drive Encryption Tools include the command-line tools manage-bde and r
|
||||
|
||||
Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
|
||||
|
||||
Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console.
|
||||
Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console.
|
||||
|
||||
1. [Manage-bde](#bkmk-managebde)
|
||||
2. [Repair-bde](#bkmk-repairbde)
|
||||
@ -73,20 +74,20 @@ manage-bde -protectors -add C: -pw -sid <user or group>
|
||||
|
||||
This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker.
|
||||
|
||||
On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command:
|
||||
On computers with a TPM, it's possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command:
|
||||
|
||||
```powershell
|
||||
manage-bde -on C:
|
||||
```
|
||||
|
||||
This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
|
||||
This command encrypts the drive using the TPM as the default protector. If you aren't sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
|
||||
|
||||
```powershell
|
||||
manage-bde -protectors -get <volume>
|
||||
```
|
||||
### Using manage-bde with data volumes
|
||||
|
||||
Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
|
||||
Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
|
||||
|
||||
A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
|
||||
|
||||
@ -102,20 +103,20 @@ You may experience a problem that damages an area of a hard disk on which BitLoc
|
||||
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
|
||||
|
||||
> [!TIP]
|
||||
> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
|
||||
> If you aren't backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
|
||||
|
||||
The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
|
||||
The Repair-bde command-line tool is intended for use when the operating system doesn't start or when you can't start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
|
||||
|
||||
- You have encrypted the drive by using BitLocker Drive Encryption.
|
||||
- Windows does not start, or you cannot start the BitLocker recovery console.
|
||||
- You do not have a copy of the data that is contained on the encrypted drive.
|
||||
- Windows doesn't start, or you can't start the BitLocker recovery console.
|
||||
- You don't have a copy of the data that is contained on the encrypted drive.
|
||||
|
||||
> [!NOTE]
|
||||
> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
|
||||
|
||||
The following limitations exist for Repair-bde:
|
||||
|
||||
- The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
|
||||
- The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process.
|
||||
- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
|
||||
|
||||
For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).
|
||||
@ -139,14 +140,14 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
|
||||
|**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
|
||||
|**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
|
||||
|
||||
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
|
||||
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
|
||||
|
||||
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLockerVolume</code> cmdlet.
|
||||
|
||||
The <code>Get-BitLockerVolume</code> cmdlet output gives information on the volume type, protectors, protection status, and other details.
|
||||
|
||||
> [!TIP]
|
||||
> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
|
||||
> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
|
||||
`Get-BitLockerVolume C: | fl`
|
||||
|
||||
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
|
||||
@ -198,7 +199,7 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
|
||||
|
||||
### Using an AD Account or Group protector in Windows PowerShell
|
||||
|
||||
The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
|
||||
The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
|
||||
|
||||
> [!WARNING]
|
||||
> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
|
||||
@ -219,7 +220,7 @@ get-aduser -filter {samaccountname -eq "administrator"}
|
||||
```
|
||||
|
||||
> [!TIP]
|
||||
> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
|
||||
> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.
|
||||
|
||||
The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
|
||||
|
||||
|
||||
@ -13,6 +13,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# BitLocker: Use BitLocker Recovery Password Viewer
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/24/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Prepare your organization for BitLocker: Planning and policies
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/28/2019
|
||||
ms.custom: bitlocker
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Protecting cluster shared volumes and storage area networks with BitLocker
|
||||
|
||||
@ -7,6 +7,7 @@ ms.author: dansimp
|
||||
ms.prod: windows-client
|
||||
author: dulcemontemayor
|
||||
ms.date: 04/02/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Encrypted Hard Drive
|
||||
|
||||
@ -8,6 +8,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 10/10/2018
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Information protection
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection:
|
||||
- highpri
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/26/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Kernel DMA Protection
|
||||
|
||||
@ -13,6 +13,7 @@ ms.topic: conceptual
|
||||
ms.date: 09/15/2022
|
||||
appliesto:
|
||||
- ✅ <b>Windows 11, version 22H2</b>
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Microsoft Pluton security processor
|
||||
|
||||
@ -13,6 +13,7 @@ ms.topic: conceptual
|
||||
ms.date: 09/15/2022
|
||||
appliesto:
|
||||
- ✅ <b>Windows 11, version 22H2</b>
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Microsoft Pluton as Trusted Platform Module
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection:
|
||||
ms.topic: conceptual
|
||||
ms.date: 05/12/2022
|
||||
ms.author: dansimp
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Secure the Windows boot process
|
||||
|
||||
@ -9,6 +9,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/03/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Back up the TPM recovery information to AD DS
|
||||
|
||||
@ -9,6 +9,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 01/18/2022
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Change the TPM owner password
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/03/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# How Windows uses the Trusted Platform Module
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection:
|
||||
- highpri
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Troubleshoot the TPM
|
||||
@ -38,35 +39,35 @@ Starting with Windows 10 and Windows 11, the operating system automatically init
|
||||
|
||||
## Troubleshoot TPM initialization
|
||||
|
||||
If you find that Windows is not able to initialize the TPM automatically, review the following information:
|
||||
If you find that Windows isn't able to initialize the TPM automatically, review the following information:
|
||||
|
||||
- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
|
||||
|
||||
- If the TPM is a TPM 2.0 and is not detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM has not been disabled or hidden from the operating system.
|
||||
- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system.
|
||||
|
||||
- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it.
|
||||
- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it.
|
||||
|
||||
- If you are attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
|
||||
- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
|
||||
|
||||
### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11
|
||||
|
||||
If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist:
|
||||
If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist:
|
||||
|
||||
- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.
|
||||
|
||||
- A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
|
||||
- A domain controller can't be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
|
||||
|
||||
If these issues occur, an error message appears, and you cannot complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you are connected to the corporate network and you can contact a domain controller.
|
||||
If these issues occur, an error message appears, and you can't complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you're connected to the corporate network and you can contact a domain controller.
|
||||
|
||||
### Troubleshoot systems with multiple TPMs
|
||||
|
||||
Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
|
||||
|
||||
For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed.
|
||||
For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed.
|
||||
|
||||
## Clear all the keys from the TPM
|
||||
|
||||
You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
|
||||
You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM isn't cleared before a new operating system is installed, most TPM functionality will probably work correctly.
|
||||
|
||||
Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again.
|
||||
|
||||
@ -77,13 +78,13 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win
|
||||
|
||||
Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
|
||||
|
||||
- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
|
||||
- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
|
||||
|
||||
- Do not clear the TPM on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
|
||||
- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator.
|
||||
|
||||
- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article.
|
||||
|
||||
- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Do not clear the TPM directly from UEFI.
|
||||
- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI.
|
||||
|
||||
- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
|
||||
|
||||
@ -107,7 +108,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
|
||||
|
||||
## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher)
|
||||
|
||||
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
|
||||
Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
|
||||
|
||||
### Turn on the TPM
|
||||
|
||||
@ -121,7 +122,7 @@ If you want to use the TPM after you have turned it off, you can use the followi
|
||||
|
||||
3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
|
||||
|
||||
After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM.
|
||||
After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM.
|
||||
|
||||
### Turn off the TPM
|
||||
|
||||
@ -137,9 +138,9 @@ If you want to stop using the services that are provided by the TPM, you can use
|
||||
|
||||
- If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
|
||||
|
||||
- If you do not have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
|
||||
- If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
|
||||
|
||||
- If you did not save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
|
||||
- If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
|
||||
|
||||
## Use the TPM cmdlets
|
||||
|
||||
|
||||
@ -9,6 +9,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Manage TPM commands
|
||||
|
||||
@ -9,6 +9,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
# Manage TPM lockout
|
||||
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Understanding PCR banks on TPM 2.0 devices
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 12/27/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# TPM fundamentals
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
- highpri
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# TPM recommendations
|
||||
|
||||
@ -12,6 +12,7 @@ ms.collection:
|
||||
- highpri
|
||||
ms.topic: conceptual
|
||||
adobe-target: true
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Trusted Platform Module Technology Overview
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# TPM Group Policy settings
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection:
|
||||
- highpri
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/06/2021
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Trusted Platform Module
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# How to collect Windows Information Protection (WIP) audit event logs
|
||||
|
||||
@ -10,6 +10,7 @@ ms.reviewer: rafals
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: how-to
|
||||
ms.date: 07/15/2022
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
|
||||
|
||||
@ -10,6 +10,7 @@ ms.reviewer: rafals
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: how-to
|
||||
ms.date: 07/15/2022
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Create and deploy a Windows Information Protection policy in Configuration Manager
|
||||
|
||||
@ -9,6 +9,7 @@ ms.reviewer: rafals
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: how-to
|
||||
ms.date: 07/15/2022
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Create a Windows Information Protection policy in Microsoft Intune
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/05/2019
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
|
||||
|
||||
@ -10,6 +10,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 05/02/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# General guidance and best practices for Windows Information Protection (WIP)
|
||||
|
||||
@ -9,6 +9,7 @@ author: lizgt2000
|
||||
ms.author: lizlong
|
||||
ms.reviewer: aaroncz
|
||||
manager: dougeby
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# How to disable Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/05/2019
|
||||
ms.localizationpriority: medium
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Limitations while using Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 05/25/2022
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
|
||||
|
||||
@ -10,6 +10,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/11/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Create a Windows Information Protection (WIP) policy using Microsoft Intune
|
||||
|
||||
@ -11,6 +11,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
ms.topic: overview
|
||||
ms.date: 07/15/2022
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Protect your enterprise data using Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/25/2019
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ manager: aaroncz
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/05/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Testing scenarios for Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Using Outlook on the web with Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.reviewer:
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
|
||||
|
||||
@ -10,6 +10,7 @@ manager: dougeby
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.technology: itpro-security
|
||||
---
|
||||
|
||||
# Fine-tune Windows Information Protection (WIP) with WIP Learning
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user