From fdbc304e6491fd28919ebcdbf618523fb382bcdb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 17:16:50 +0530 Subject: [PATCH 1/3] Update ts-bitlocker-network-unlock-issues.md --- .../ts-bitlocker-network-unlock-issues.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index b5882849d0..1751050bc3 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -18,20 +18,20 @@ ms.custom: bitlocker # BitLocker Network Unlock: known issues -By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements: +By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, you have to configure your environment to meet the following requirements: - Each computer belongs to a domain - Each computer has a wired connection to the corporate network - The corporate network uses DHCP to manage IP addresses - Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware -For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock). +For general guidelines about the procedure to troubleshoot network unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock). -This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues. +This article describes several known issues that you may encounter when you use network unlock feature, and provides guidance to address these issues. -## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer +## Tip: Detect whether BitLocker network unlock is enabled on a specific computer -You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands. +You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands: 1. Open an elevated Command Prompt window and run the following command: @@ -40,15 +40,15 @@ You can use the following steps on computers that have either x64 or x32 UEFI sy ``` where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive. - If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock. + If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock. 1. Start Registry Editor, and verify the following settings: - Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1** - - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1. + - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1. -## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured +## On a Surface Pro 4 device, BitLocker network unlock does not work because the UEFI network stack is incorrectly configured -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. +You have configured BitLocker network unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device. @@ -61,28 +61,28 @@ The UEFI network stack on the device was incorrectly configured. To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm). > [!NOTE] -> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option. +> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option. -## Unable to use BitLocker Network Unlock feature on a Windows client computer +## Unable to use BitLocker network unlock feature on a Windows client computer -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. +You have configured BitLocker network unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. ### Cause -A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. +A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP or WDS server. DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests. The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option: -- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. -- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request. +- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. These messages use the Message Type option; therefore, the DHCP server treats them as DHCP messages. +- The third message that the BitLocker network unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request. A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message. If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message. -For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence) +For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence) ### Resolution From ae5936aa3076b87b3e6bf9fe1a91de5cd6d92aaa Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:38:52 +0530 Subject: [PATCH 2/3] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From c9599777d2e848423946e3fd1b4aa449a1f751e4 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Fri, 10 Jun 2022 17:08:58 +0530 Subject: [PATCH 3/3] fixed suggestion --- .../bitlocker/bitlocker-basic-deployment.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index e76c7e5c7b..1e29149153 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -115,7 +115,6 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes |Encryption Type|Windows 11, Windows 10, and Windows 8.1|Windows 8|Windows 7| - |--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|