deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #8761 from illfated/patch-1

Browse Source 
MarkDown syntax highlighting, whitespace cleanup
This commit is contained in:
Denise Vangel-MSFT
2020-12-09 10:10:10 -08:00
committed by GitHub
parent d768b929fe 95910d97fd
commit f44ad173b8
1 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,5 +1,5 @@
--- ---
title: BitLocker cannot encrypt a drive known TPM issues title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
ms.reviewer: kaushika ms.reviewer: kaushika
ms.technology: windows ms.technology: windows
@ -16,7 +16,6 @@ ms.date: 10/18/2019
ms.custom: bitlocker ms.custom: bitlocker
--- ---
# BitLocker cannot encrypt a drive: known TPM issues # BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
@ -38,7 +37,7 @@ To resolve this issue, follow these steps:
1. Open an elevated PowerShell window and run the following script: 1. Open an elevated PowerShell window and run the following script:
```ps ```powershell
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
@ -69,7 +68,7 @@ To resolve this issue, disable and re-enable the TPM. To do this, follow these s
If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm). If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
> [!WARNING] > [!WARNING]
> Clearing the TPM can cause data loss. > Clearing the TPM can cause data loss.
## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005 ## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
@ -81,7 +80,7 @@ The TPM did not have sufficient permissions on the TPM Devices container in Acti
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10. This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
### Resolution ### Resolution
To verify that you have correctly identified this issue, use one of the following methods: To verify that you have correctly identified this issue, use one of the following methods:
@ -90,7 +89,7 @@ To verify that you have correctly identified this issue, use one of the followin
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command: 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
```ps ```powershell
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
``` ```
@ -100,7 +99,7 @@ To verify that you have correctly identified this issue, use one of the followin
## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
@ -117,14 +116,14 @@ The domain and forest functional level of the environment may still be set to Wi
To resolve this issue, follow these steps: To resolve this issue, follow these steps:
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2. 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133). 2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
1. In the script, modify the value of **strPathToDomain** to your domain name. 3. In the script, modify the value of **strPathToDomain** to your domain name.
1. Open an elevated PowerShell window, and run the following command: 4. Open an elevated PowerShell window, and run the following command:
```ps ```powershell
cscript <Path>Add-TPMSelfWriteACE.vbs cscript <Path>Add-TPMSelfWriteACE.vbs
``` ```
In this command \<*Path*> is the path to the script file. In this command \<*Path*> is the path to the script file.
For more information, see the following articles: For more information, see the following articles: