From f0d0dd71a9b87b60afad96a4051dee187a34657f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 11:31:06 +0530 Subject: [PATCH 1/3] Update ts-bitlocker-cannot-encrypt-tpm-issues.md --- .../ts-bitlocker-cannot-encrypt-tpm-issues.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index c112d898f7..93e95c46e6 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -19,14 +19,14 @@ ms.custom: bitlocker # BitLocker cannot encrypt a drive: known TPM issues -This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. +This article describes common issues that affect the trusted platform module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] > If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). ## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period" -When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." ### Cause @@ -42,12 +42,12 @@ To resolve this issue, follow these steps: $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} ``` -1. Restart the computer. If you are prompted at the restart screen, press F12 to agree. -1. Try again to start BitLocker Drive Encryption. +2. Restart the computer. If you are prompted at the restart screen, press F12 to agree. +3. Retry starting BitLocker drive encryption. ## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period" -You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." ### Cause @@ -58,11 +58,11 @@ The TPM is locked out. To resolve this issue, disable and re-enable the TPM. To do this, follow these steps: 1. Restart the device, and change the BIOS configuration to disable the TPM. -1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following: +2. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following: > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS. -1. Restart the device, and change the BIOS configuration to enable the TPM. -1. Restart the device, and return to the TPM management console. +3. Restart the device, and change the BIOS configuration to enable the TPM. +4. Restart the device, and return to the TPM management console. If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm). @@ -71,11 +71,11 @@ If you still cannot prepare the TPM, clear the existing TPM keys. To do this, fo ## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005 -You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." +You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." ### Cause -The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run. +The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run. This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10. @@ -83,7 +83,7 @@ This issue appears to be limited to computers that run versions of Windows that To verify that you have correctly identified this issue, use one of the following methods: -- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed. +- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed. - Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container. 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command: @@ -98,9 +98,9 @@ To verify that you have correctly identified this issue, use one of the followin ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" -Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. +Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. -You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: +You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: > 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled From 98936b6e624f620127515aadb9c8ca2f267a6c33 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Fri, 16 Oct 2020 18:13:52 +0530 Subject: [PATCH 2/3] Reviewed ts-bitlocker-cannot-encrypt-tpm-issues.md (#3998) Made minor changes --- .../ts-bitlocker-cannot-encrypt-tpm-issues.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index 93e95c46e6..2c7e7eecb9 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -19,7 +19,7 @@ ms.custom: bitlocker # BitLocker cannot encrypt a drive: known TPM issues -This article describes common issues that affect the trusted platform module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. +This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] > If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). @@ -41,8 +41,7 @@ To resolve this issue, follow these steps: ```ps $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} ``` - -2. Restart the computer. If you are prompted at the restart screen, press F12 to agree. +2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8 3. Retry starting BitLocker drive encryption. ## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period" @@ -58,7 +57,7 @@ The TPM is locked out. To resolve this issue, disable and re-enable the TPM. To do this, follow these steps: 1. Restart the device, and change the BIOS configuration to disable the TPM. -2. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following: +2. Restart the device again, and return to the TPM management console. Following message is displayed: > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS. 3. Restart the device, and change the BIOS configuration to enable the TPM. @@ -94,7 +93,7 @@ To verify that you have correctly identified this issue, use one of the followin In this command, *ComputerName* is the name of the affected computer. -1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. +1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" @@ -108,16 +107,16 @@ You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformati ### Cause -The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set. +The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set. ### Resolution To resolve this issue, follow these steps: 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2. -1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133). -1. In the script, modify the value of **strPathToDomain** to your domain name. -1. Open an elevated PowerShell window, and run the following command: +2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133). +3. In the script, modify the value of **strPathToDomain** to your domain name. +4. Open an elevated PowerShell window, and run the following command: ```ps cscript Add-TPMSelfWriteACE.vbs From 14c59a88b18c920b0f52c972a2f0ff172c4c5329 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 11:03:32 +0530 Subject: [PATCH 3/3] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|