mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 02:43:43 +00:00
Search/replace pass
This commit is contained in:
Teresa-Motiv
@ -27,7 +27,7 @@ Open Event Viewer and review the following logs under applications and services
|
||||
- **BitLocker-DrivePreparationTool**. Review the Admin log and the Operational log, and any other logs that are generated in this folder.
|
||||
|
||||
> [!NOTE]
|
||||
> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. Use the [wevtutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil) command-line tool to export logs.
|
||||
> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. Use the [wevtutil.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil) command-line tool to export logs.
|
||||
|
||||
### Check the status of the components that BitLocker uses
|
||||
|
||||
@ -35,10 +35,10 @@ Open an elevated Windows PowerShell window, and run each of the following comman
|
||||
|
||||
|Command |Notes |
|
||||
| - | - |
|
||||
|[**get-tpm \> C:\\TPM.txt**](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
|
||||
|[**manage-bde –status \> C:\\BDEStatus.txt**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
|
||||
|[**manage-bde c: <br />-protectors -get \> C:\\Protectors**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. |
|
||||
|[**reagentc /info \> C:\\reagent.txt**](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about the current status of the Windows Recovery Environment (Windows RE) and any available recovery image on an online or offline image |
|
||||
|[**get-tpm \> C:\\TPM.txt**](https://docs.microsoft.com/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
|
||||
|[**manage-bde –status \> C:\\BDEStatus.txt**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
|
||||
|[**manage-bde c: <br />-protectors -get \> C:\\Protectors**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. |
|
||||
|[**reagentc /info \> C:\\reagent.txt**](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about the current status of the Windows Recovery Environment (Windows RE) and any available recovery image on an online or offline image |
|
||||
|
||||
### Other information to gather
|
||||
|
||||
@ -46,8 +46,8 @@ Open an elevated Windows PowerShell window, and run each of the following comman
|
||||
|
||||
|Command |Notes |
|
||||
| - | - |
|
||||
|[**gpresult /h \<Filename>**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult) |Exports the resultant set of Group Policy, and saves the information as an HTML file. |
|
||||
|[**msinfo /report \<Path> /computer \<ComputerName>**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a TXT file. |
|
||||
|[**gpresult /h \<Filename>**](https://docs.microsoft.com/windows-server/administration/windows-commands/gpresult) |Exports the resultant set of Group Policy, and saves the information as an HTML file. |
|
||||
|[**msinfo /report \<Path> /computer \<ComputerName>**](https://docs.microsoft.com/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a TXT file. |
|
||||
|
||||
1. Open Registry Editor, and export the entries in the following subkeys:
|
||||
|
||||
@ -65,7 +65,7 @@ Common settings that can cause problems for BitLocker—or may help you narr
|
||||
- On legacy computers, the system reserved partition must be formatted as NTFS.
|
||||
- If the device that you are troubleshooting is a Slate, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates**.
|
||||
|
||||
For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-basic-deployment#using-bitlocker-to-encrypt-volumes)
|
||||
For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-basic-deployment#using-bitlocker-to-encrypt-volumes)
|
||||
|
||||
## Next steps
|
||||
|
||||
|
||||
@ -57,7 +57,7 @@ To verify the presence of this issue, follow these steps:
|
||||
|
||||
> D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
|
||||
|
||||
1. Copy this output, and then use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows:
|
||||
1. Copy this output, and then use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows:
|
||||
|
||||
|
||||
|
||||
@ -84,7 +84,7 @@ The issue should now be resolved.
|
||||
|
||||
## <a id="scenario-2"></a>In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7
|
||||
|
||||
Reference: <https://internal.support.services.microsoft.com/en-us/help/3217793>
|
||||
Reference: <https://internal.support.services.microsoft.com/help/3217793>
|
||||
|
||||
### Symptoms
|
||||
|
||||
@ -123,11 +123,11 @@ After Windows 7 was released, several other areas of BitLocker were improved:
|
||||
|
||||
- **Integration with Azure Active Directory**. BitLocker can store keys in Azure AD, which makes them easier to recover.
|
||||
|
||||
- **[Direct memory access (DMA) port protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
|
||||
- **[Direct memory access (DMA) port protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
|
||||
|
||||
- **[BitLocker Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
|
||||
- **[BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
|
||||
|
||||
- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
|
||||
- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
|
||||
|
||||
- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
|
||||
|
||||
|
||||
@ -57,7 +57,7 @@ To verify the presence of this issue, follow these steps:
|
||||
|
||||
> D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
|
||||
|
||||
1. Copy this output, and then use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows:
|
||||
1. Copy this output, and then use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows:
|
||||
|
||||
|
||||
|
||||
@ -84,7 +84,7 @@ The issue should now be resolved.
|
||||
|
||||
## <a id="scenario-2"></a>In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7
|
||||
|
||||
Reference: <https://internal.support.services.microsoft.com/en-us/help/3217793>
|
||||
Reference: <https://internal.support.services.microsoft.com/help/3217793>
|
||||
|
||||
### Symptoms
|
||||
|
||||
@ -123,11 +123,11 @@ After Windows 7 was released, several other areas of BitLocker were improved:
|
||||
|
||||
- **Integration with Azure Active Directory**. BitLocker can store keys in Azure AD, which makes them easier to recover.
|
||||
|
||||
- **[Direct memory access (DMA) port protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
|
||||
- **[Direct memory access (DMA) port protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
|
||||
|
||||
- **[BitLocker Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
|
||||
- **[BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
|
||||
|
||||
- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
|
||||
- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
|
||||
|
||||
- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
|
||||
|
||||
|
||||
@ -16,14 +16,14 @@ ms.date: 9/19/2019
|
||||
|
||||
# Decode Measured Boot logs to track PCR changes
|
||||
|
||||
From [https://internal.support.services.microsoft.com/en-us/help/4345799](https://internal.support.services.microsoft.com/en-us/help/4345799)
|
||||
From [https://internal.support.services.microsoft.com/help/4345799](https://internal.support.services.microsoft.com/help/4345799)
|
||||
|
||||
[TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation)
|
||||
[Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices)
|
||||
[TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation)
|
||||
[Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices)
|
||||
|
||||
Measured Boot logs are located under C:\\Windows\\Logs\\MeasuredBoot\\ directory.
|
||||
|
||||
These logs can be used to figure out which Platform Configuration Register (PCR) got changed resulting into Bitlocker recovery and also figure out what all events were measured into a particular PCR helping us to explain why that PCR changed in the first place.
|
||||
These logs can be used to figure out which Platform Configuration Register (PCR) got changed resulting into BitLocker recovery and also figure out what all events were measured into a particular PCR helping us to explain why that PCR changed in the first place.
|
||||
|
||||
## Install TBSLogGenerator
|
||||
|
||||
@ -33,7 +33,7 @@ Install Hardware Lab Kit—Controller + Studio on a Windows Server 2016 mach
|
||||
|
||||
1. Download the Windows Hardware Lab Kit from one of the following locations:
|
||||
|
||||
- [Windows Hardware Lab Kit](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/)
|
||||
- [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/)
|
||||
- Direct Download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112)
|
||||
|
||||
1. Accept the default installation path.
|
||||
|
||||
@ -16,13 +16,13 @@ ms.date: 9/19/2019
|
||||
|
||||
# Enforcing BitLocker policies by using Intune--known issues
|
||||
|
||||
Reference: <https://internal.support.services.microsoft.com/en-us/help/4502051>
|
||||
Reference: <https://internal.support.services.microsoft.com/help/4502051>
|
||||
|
||||
On the portal, you should see the Bitlocker encryption failing as shown here:
|
||||
On the portal, you should see the BitLocker encryption failing as shown here:
|
||||
|
||||
|
||||
|
||||
Reasons for failure can be many. The best place to start looking for error reason is the event viewer **Applications and Services log** > **Windows** > **Bitlocker API**.
|
||||
Reasons for failure can be many. The best place to start looking for error reason is the event viewer **Applications and Services log** > **Windows** > **BitLocker API**.
|
||||
|
||||
The following sections provide more information about resolving the following events and error messages:
|
||||
|
||||
@ -74,7 +74,7 @@ Windows Recovery Environment (WinRE) is the minimal OS based on Windows Preinsta
|
||||
|
||||
If the main OS doesn’t boot on some reason, the computer tries to run WinRE.
|
||||
|
||||
In case of Silent Bitlocker Encryption, Bitlocker encryption is enabled on OS drive while Windows is still in Pre Boot Environment (Win PE). This is to protect the OS drive contents.
|
||||
In case of Silent BitLocker Encryption, BitLocker encryption is enabled on OS drive while Windows is still in Pre Boot Environment (Win PE). This is to protect the OS drive contents.
|
||||
|
||||
As such it is necessary to have WinRE (Recovery Environment) enabled so that Windows can be recovered in any system crash issues.
|
||||
|
||||
@ -110,7 +110,7 @@ BCD config is out of Intune scope so I will not dig into it.
|
||||
|
||||
### Cause
|
||||
|
||||
Silent Bitlocker Encryption requires UEFI BIOS as it does not supports BIOS in legacy mode. Check the BIOS mode by using msinfo32.
|
||||
Silent BitLocker Encryption requires UEFI BIOS as it does not supports BIOS in legacy mode. Check the BIOS mode by using msinfo32.
|
||||
|
||||
|
||||
|
||||
@ -160,11 +160,11 @@ However if you see something like below, your device does not have support:
|
||||
|
||||
|
||||
|
||||
You can also verify if the Bitlocker Recovery Key has been uploaded to Azure by checking the device details from under Azure AD devices section.
|
||||
You can also verify if the BitLocker Recovery Key has been uploaded to Azure by checking the device details from under Azure AD devices section.
|
||||
|
||||
|
||||
|
||||
Registry path to verify the Bitlocker policy as delivered to the device: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
|
||||
Registry path to verify the BitLocker policy as delivered to the device: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
|
||||
|
||||
|
||||
|
||||
@ -174,7 +174,7 @@ The registry path **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\cu
|
||||
|
||||
When deploying Intune Policy to encrypt the device and store the recovery key into Azure Active Directory might fail with Error 0x80072f9a on Windows 10 1809, after enabling the option **Allow standard users to enable encryption during Azure AD Join**.
|
||||
|
||||
Checking the event viewer, Bitlocker API Log, you will see the following events:
|
||||
Checking the event viewer, BitLocker API Log, you will see the following events:
|
||||
|
||||
> Event ID:846
|
||||
>
|
||||
@ -210,4 +210,4 @@ The logged on user does not have permission to read the private key on the certi
|
||||
|
||||
### Resolution
|
||||
|
||||
In order to resolve this issue please install [kb4497934](https://support.microsoft.com/en-us/help/4497934/windows-10-update-kb4497934)
|
||||
In order to resolve this issue please install [kb4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934)
|
||||
|
||||
@ -19,23 +19,23 @@ Use BitLocker without entering a PIN at startup
|
||||
|
||||
The most recommended way would be to use the “Network Unlock” feature using which the device could be unlocked remotely without user intervention.
|
||||
|
||||
For general guidelines about how to troubleshoot Network Unlock, see [Troubleshoot Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock)
|
||||
For general guidelines about how to troubleshoot Network Unlock, see [Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock)
|
||||
|
||||
<a id="list"></a>
|
||||
|
||||
- [Surface: Bitlocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack](#scenario-1)
|
||||
- [Surface: BitLocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack](#scenario-1)
|
||||
- [Tip: Detect programmatically whether BitLocker Network Unlock is enabled on a specific computer](#scenario-2)
|
||||
- [Unable to use Bitlocker Network Unlock feature on Windows client computer](#scenario-4)
|
||||
- [Unable to use BitLocker Network Unlock feature on Windows client computer](#scenario-4)
|
||||
|
||||
## <a id="scenario-1"></a>Surface: Bitlocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack
|
||||
## <a id="scenario-1"></a>Surface: BitLocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack
|
||||
|
||||
### Symptom
|
||||
|
||||
Bitlocker Network unlock was configured as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock).
|
||||
BitLocker Network unlock was configured as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock).
|
||||
|
||||
UEFI is set for DHCP, however, when booting a prompt for the PIN is still shown.
|
||||
|
||||
Testing with another device (HP Elite X2 tablet) we could conclude that the Bitlocker Network unlock configuration is correct.
|
||||
Testing with another device (HP Elite X2 tablet) we could conclude that the BitLocker Network unlock configuration is correct.
|
||||
|
||||
### Cause
|
||||
|
||||
@ -45,7 +45,7 @@ Very likely network stack was not configured correctly.
|
||||
|
||||
SEMM is required to enable the network stack, it is not visible in the UI. Otherwise, setting network as the first boot option will also allow network stack loading in the UEFI if we cannot use SEMM.
|
||||
|
||||
For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/en-us/surface/enroll-and-configure-surface-devices-with-semm)
|
||||
For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm)
|
||||
|
||||
[Back to list](#list)
|
||||
|
||||
@ -61,9 +61,9 @@ Detect the following values:
|
||||
|
||||
[Back to list](#list)
|
||||
|
||||
## <a id="scenario-4"></a>Unable to use Bitlocker Network Unlock feature on Windows client computer
|
||||
## <a id="scenario-4"></a>Unable to use BitLocker Network Unlock feature on Windows client computer
|
||||
|
||||
From [A Windows 8-based client computer does not use the BitLocker Network Unlock feature](https://internal.support.services.microsoft.com/en-us/help/2891694/a-windows-8-based-client-computer-does-not-use-the-bitlocker-network-u)
|
||||
From [A Windows 8-based client computer does not use the BitLocker Network Unlock feature](https://internal.support.services.microsoft.com/help/2891694/a-windows-8-based-client-computer-does-not-use-the-bitlocker-network-u)
|
||||
|
||||
On a Windows 8-based client computer, you are prompted to enter the BitLocker PIN to start Windows. This occurs even though the computer is connected through an Ethernet cable to the physical corporate LAN and the BitLocker Network Unlock feature is enabled and implemented.
|
||||
|
||||
|
||||
@ -36,8 +36,8 @@ Windows 10 prompts you for a BitLocker recovery key. However, you have not confi
|
||||
|
||||
The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses two situations that may produce this symptom, and provides information about how to resolve the issue:
|
||||
|
||||
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
|
||||
- [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
|
||||
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
|
||||
- [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
|
||||
|
||||
[Back to list](#list)
|
||||
|
||||
@ -51,7 +51,7 @@ The BitLocker Windows Management Instrumentation (WMI) interface does allow admi
|
||||
|
||||
## <a id="scenario-3"></a>"Manage-bde -forcerecovery" command is unsupported for testing recovery mode on tablet devices
|
||||
|
||||
Reference: <https://internal.support.services.microsoft.com/en-us/help/3119451/manage-bde-forcerecovery-command-is-unsupported-for-testing-recovery-m>
|
||||
Reference: <https://internal.support.services.microsoft.com/help/3119451/manage-bde-forcerecovery-command-is-unsupported-for-testing-recovery-m>
|
||||
|
||||
### Symptoms
|
||||
|
||||
@ -94,7 +94,7 @@ To resolve this issue, follow these steps:
|
||||
|
||||
## <a id="scenario-4"></a>Prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device
|
||||
|
||||
Reference: <https://internal.support.services.microsoft.com/en-us/help/4057282/bitlocker-recovery-key-prompt-after-surface-uefi-tpm-firmware-update>
|
||||
Reference: <https://internal.support.services.microsoft.com/help/4057282/bitlocker-recovery-key-prompt-after-surface-uefi-tpm-firmware-update>
|
||||
|
||||
### Symptoms
|
||||
|
||||
@ -222,7 +222,7 @@ To reset your device by using a Surface recovery image: Follow the instructions
|
||||
|
||||
## <a id="scenario-5"></a>Some devices running Windows 10 with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000
|
||||
|
||||
Reference: <https://internal.support.services.microsoft.com/en-us/help/4505821/some-devices-running-windows-10-with-hyper-v-enabled-may-start-into-bi>
|
||||
Reference: <https://internal.support.services.microsoft.com/help/4505821/some-devices-running-windows-10-with-hyper-v-enabled-may-start-into-bi>
|
||||
|
||||
### Symptoms
|
||||
|
||||
@ -264,8 +264,8 @@ To prevent this issue, execute the following command to temporarily suspend BitL
|
||||
{check update KBs--WA no longer needed with updates?}
|
||||
This issue is now resolved for all platforms in the following updates:
|
||||
|
||||
- [KB4507450](https://internal.support.services.microsoft.com/en-us/help/4507450) LCU for Windows 10, version 1703.
|
||||
- [KB4507460](https://internal.support.services.microsoft.com/en-us/help/4507460) LCU for Windows 10, version 1607 and Windows Server 2016.
|
||||
- [KB4507450](https://internal.support.services.microsoft.com/help/4507450) LCU for Windows 10, version 1703.
|
||||
- [KB4507460](https://internal.support.services.microsoft.com/help/4507460) LCU for Windows 10, version 1607 and Windows Server 2016.
|
||||
|
||||
[Back to list](#list)
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.date: 9/19/2019
|
||||
|
||||
# BitLocker and TPM--known issues
|
||||
|
||||
[Troubleshoot the TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm)
|
||||
[Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm)
|
||||
|
||||
<a id="list"></a>
|
||||
|
||||
@ -78,9 +78,9 @@ To clear / reset the TPM:
|
||||
You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
|
||||
|
||||
|
||||
### EST/WIN8.1/ Unable to enable Bitlocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
|
||||
### EST/WIN8.1/ Unable to enable BitLocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
|
||||
|
||||
Unable to enable Bitlocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
|
||||
Unable to enable BitLocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
|
||||
|
||||
### Cause
|
||||
|
||||
@ -88,13 +88,13 @@ TPM Lockout
|
||||
|
||||
### Resolution
|
||||
|
||||
open Powershell as Admin $Tpm = Get-WmiObject -class Win32\_Tpm -namespace "root\\CIMv2\\Security\\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Reboot - if prompted at boot screen agree with F12 - Try again to configure Bitlocker (we use some scripts, but the GUI is also ok J)
|
||||
open Powershell as Admin $Tpm = Get-WmiObject -class Win32\_Tpm -namespace "root\\CIMv2\\Security\\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Reboot - if prompted at boot screen agree with F12 - Try again to configure BitLocker (we use some scripts, but the GUI is also ok J)
|
||||
|
||||
### PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period
|
||||
|
||||
[PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period.](https://internal.support.services.microsoft.com/en-us/help/4327939)
|
||||
[PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period.](https://internal.support.services.microsoft.com/help/4327939)
|
||||
|
||||
This Surface Pro 3 was shipped with Windows 10 and reimaged with Windows 8.1. Bitlocker can not be enabled.
|
||||
This Surface Pro 3 was shipped with Windows 10 and reimaged with Windows 8.1. BitLocker can not be enabled.
|
||||
The TPM on this computer is currently locked out.
|
||||
|
||||
Classification Path: Routing Surface Pro\Software Issues (Windows 8.1)\BitLocker or device encryption
|
||||
@ -105,7 +105,7 @@ When we tried to Prepare the TPM using tpm.msc console of the Surface Pro 3, we
|
||||
|
||||
## Scenario 2: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
|
||||
|
||||
Reference: [https://internal.support.services.microsoft.com/en-us/help/4313961](https://internal.support.services.microsoft.com/en-us/help/4313961)
|
||||
Reference: [https://internal.support.services.microsoft.com/help/4313961](https://internal.support.services.microsoft.com/help/4313961)
|
||||
|
||||
### Symptom
|
||||
|
||||
@ -123,7 +123,7 @@ Recommended action plan: After consulting with the TPM feature team, We advised
|
||||
|
||||
## Scenario 3: Troubleshooting hybrid Azure Active Directory joined devices failure due to TPM
|
||||
|
||||
Reference: [https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
|
||||
Reference: [https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
|
||||
|
||||
### Symptom:
|
||||
|
||||
@ -146,7 +146,7 @@ Windows operating system is not the owner of the TPM
|
||||
|
||||
- **Resolution:** Likely due to a bad sysprep image. Ensure the machine from which the sysprep image was created is not Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
|
||||
|
||||
Reference: [https://internal.support.services.microsoft.com/en-us/help/4467030](https://internal.support.services.microsoft.com/en-us/help/4467030)
|
||||
Reference: [https://internal.support.services.microsoft.com/help/4467030](https://internal.support.services.microsoft.com/help/4467030)
|
||||
|
||||
#### Error 2: TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)
|
||||
|
||||
@ -188,11 +188,11 @@ Get-ADComputer -Filter {Name -like "TPMTest"} -Property 1. | Format-Table name,m
|
||||
|
||||
1. Provided proper permissions of SELF:
|
||||
|
||||
Reference: [https://internal.support.services.microsoft.com/en-us/help/4337282](https://internal.support.services.microsoft.com/en-us/help/4337282)
|
||||
Reference: [https://internal.support.services.microsoft.com/help/4337282](https://internal.support.services.microsoft.com/help/4337282)
|
||||
|
||||
## Scenario 5: 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
|
||||
|
||||
Reference: [https://internal.support.services.microsoft.com/en-us/help/4319021](https://internal.support.services.microsoft.com/en-us/help/4319021)
|
||||
Reference: [https://internal.support.services.microsoft.com/help/4319021](https://internal.support.services.microsoft.com/help/4319021)
|
||||
|
||||
Support Topic: Routing Windows V3\Group Policy\Managing BitLocker configuration through Group Policy
|
||||
|
||||
@ -218,5 +218,5 @@ DC: Windows Server 2012 r2. The attributes include ms-TPM-OwnerInformation and m
|
||||
|
||||
We noticed that he had not added the self-write permissions for the computer objects. So, we downloaded the script Add-TPMSelfWriteACE.vbs and modified the value of strPathToDomain to your domain.Post modification, ran Add-TPMSelfWriteACE.vbs and it ran successfully.We then discovered that the domain and forest functional level are still at 2008 R2 and we wanted to update them first Post updating the domain and forest functional level and setting the required permissions , he confirmed that he was able to successfully back up the TPM information to Active Directory without error : “0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled”.
|
||||
|
||||
- [Back up the TPM Recovery Information to AD DS](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)
|
||||
- [Back up the TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)
|
||||
|
||||
Reference in New Issue
Block a user