diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index efe78a018c..530e9df085 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -1,6 +1,6 @@ --- title: BitLocker cannot encrypt a drive known issues -description: +description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive ms.reviewer: kaushika ms.prod: w10 ms.sitesec: library @@ -79,11 +79,11 @@ To verify that this issue has occurred, follow these steps: 1. Copy this output, and then use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows: - ![](./images/ts-bitlocker-usb-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png) If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the problem. Under typical conditions, the output should resemble the following: - ![default](./images/ts-bitlocker-usb-default-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png) > [!NOTE] > GPOs that change the security descriptors of services have been known to cause this issue. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index 8ddafeb91a..9791332251 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -1,6 +1,6 @@ --- title: BitLocker cannot encrypt a drive known TPM issues -description: +description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM ms.reviewer: kaushika ms.prod: w10 ms.sitesec: library diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index f28ca0ac45..753d5c494e 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -1,6 +1,6 @@ --- title: BitLocker configuration known issues -description: +description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues. ms.reviewer: kaushika ms.prod: w10 ms.sitesec: library @@ -11,7 +11,7 @@ manager: kaushika audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 9/27/2019 +ms.date: 10/7/2019 --- # BitLocker configuration: known issues diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index f5fd7a11b4..44a1779f36 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -1,6 +1,6 @@ --- title: Decode Measured Boot logs to track PCR changes -description: +description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs ms.reviewer: kaushika ms.prod: w10 ms.sitesec: library @@ -11,7 +11,7 @@ manager: kaushika audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/4/2019 +ms.date: 10/7/2019 --- # Decode Measured Boot logs to track PCR changes @@ -39,11 +39,11 @@ To install the tool, follow these steps: 1. Accept the default installation path. - ![](./images/ts-tpm-1.png) + ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png) 1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. - ![](./images/ts-tpm-2.png) + ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png) 1. Finish the installation. @@ -54,7 +54,7 @@ To install the tool, follow these steps: The TBSLogGenerator.exe file resides in this folder. - ![](./images/ts-tpm-3.png) + ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png) 1. Run the following command: ```cmd @@ -67,16 +67,16 @@ To install the tool, follow these steps: TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` - ![](./images/ts-tpm-4.png) + ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png) The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file resides in the same folder as the original .log file. - ![](./images/ts-tpm-5.png) + ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png) The content of this text file resembles the following: -![](./images/ts-tpm-6.png) +![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png) To find the PCR information, go to the end of the file. - ![](./images/ts-tpm-7.png) + ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index deaf0a07c1..95dd1e5cd4 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -1,6 +1,6 @@ --- title: Enforcing BitLocker policies by using Intune known issues -description: +description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. ms.reviewer: kaushika ms.prod: w10 ms.sitesec: library @@ -11,12 +11,12 @@ manager: kaushika audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/2/2019 +ms.date: 10/7/2019 --- # Enforcing BitLocker policies by using Intune: known issues -This article provides assistance for issues you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates if BitLocker has failed to encrypt on or more managed devices. +This article provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt on or more managed devices. ![The BitLocker status indictors on the Intune portal](./images/4509189_en_1.png) @@ -314,13 +314,13 @@ The OMA-URI references for these settings are the following: During regular operations, BitLocker Drive Encryption generates events such as event ID 796 and event ID 845. -![](./images/4509203_en_1.png) +![Event ID 796, as shown in Event Viewer](./images/4509203_en_1.png) -![](./images/4509204_en_1.png) +![Event ID 845, as shown in Event Viewer](./images/4509204_en_1.png) You can also verify if the BitLocker Recovery Key has been uploaded to Azure by checking the device details in the Azure AD Devices section. -![](./images/4509205_en_1.png) +![BitLocker recovery key information as viewed in Azure AD](./images/4509205_en_1.png) On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index b54f89721d..6b96629ae0 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -279,4 +279,4 @@ To resolve this issue, do one of the following: - Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch. - Modify the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**. - ![](./images/4496674_en_1.png) + ![The Turn On Virtualization Based Security policy dialog box](./images/4496674_en_1.png)