mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20240621-whfb
This commit is contained in:
Paolo Matarazzo
@ -20,7 +20,7 @@ appliesto:
|
||||
# Microsoft Connected Cache for Internet Service Providers (early preview)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to migrate your cache nodes to our public preview. See [instructions on how to migrate](#migrating-your-mcc-to-public-preview) below.
|
||||
> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to onboard onto our Public Preview program. For instructions on signing up and onboarding please visit [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md).
|
||||
|
||||
## Overview
|
||||
|
||||
@ -441,6 +441,13 @@ If the test fails, for more information, see the [common issues](#common-issues)
|
||||
|
||||
## Common Issues
|
||||
|
||||
### Microsoft Connected Cache is no longer serving traffic
|
||||
If you did not migrate your cache node then your cache node may still be on early preview version.
|
||||
Microsoft Connected Cache for Internet Service Providers is now in Public Preview! To get started, visit [Azure portal](https://www.portal.azure.com) to sign up for Microsoft Connected Cache for Internet Service Providers. Please see [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md) for more information on the requirements for sign up and onboarding.
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
> [!NOTE]
|
||||
> This section only lists common issues. For more information on additional issues you may encounter when configuring IoT Edge, see the [IoT Edge troubleshooting guide](/azure/iot-edge/troubleshoot).
|
||||
|
||||
@ -551,19 +558,6 @@ If you have an MCC that's already active and running, follow the steps below to
|
||||
|
||||
1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc). -->
|
||||
|
||||
## Migrating your MCC to Public Preview
|
||||
|
||||
> [!NOTE]
|
||||
> Please note, if you reboot your server, the version that you are currently on will no longer function, after which you will be required to migrate to the new version.
|
||||
|
||||
We recommend migrating now to the new version to access these benefits and ensure no downtime.
|
||||
|
||||
To migrate, use the following steps:
|
||||
|
||||
1. Navigate to the cache node that you would like to migrate and select **Download Migration Package** using the button at the top of the page.
|
||||
1. Follow the instructions under the **Connected Cache Migrate Scripts** section within Azure portal.
|
||||
:::image type="content" source="images/mcc-isp-migrate.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the early preview to the public preview." lightbox="images/mcc-isp-migrate.png":::
|
||||
1. Go to https://portal.azure.com and navigate to your resource to check your migrated cache nodes.
|
||||
|
||||
## Uninstalling MCC
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: BCD settings and BitLocker
|
||||
title: BCD settings and BitLocker
|
||||
description: Learn how BCD settings are used by BitLocker.
|
||||
ms.topic: reference
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# Boot Configuration Data settings and BitLocker
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Configure BitLocker
|
||||
description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
|
||||
ms.topic: how-to
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# Configure BitLocker
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: BitLocker countermeasures
|
||||
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
|
||||
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
|
||||
ms.topic: concept-article
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# BitLocker countermeasures
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Protect cluster shared volumes and storage area networks with BitLocker
|
||||
description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
|
||||
ms.topic: how-to
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
|
||||
@ -3,7 +3,7 @@ metadata:
|
||||
title: BitLocker FAQ
|
||||
description: Learn more about BitLocker by reviewing the frequently asked questions.
|
||||
ms.topic: faq
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
title: BitLocker FAQ
|
||||
summary: Learn more about BitLocker by reviewing the frequently asked questions.
|
||||
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 107 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 96 KiB |
@ -2,7 +2,7 @@
|
||||
title: BitLocker overview
|
||||
description: Learn about BitLocker practical applications and requirements.
|
||||
ms.topic: overview
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# BitLocker overview
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Install BitLocker on Windows Server
|
||||
description: Learn how to install BitLocker on Windows Server.
|
||||
ms.topic: how-to
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Network Unlock
|
||||
title: Network Unlock
|
||||
description: Learn how BitLocker Network Unlock works and how to configure it.
|
||||
ms.topic: how-to
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# Network Unlock
|
||||
@ -255,7 +255,7 @@ The subnet policy configuration file must use a `[SUBNETS]` section to identify
|
||||
```ini
|
||||
[SUBNETS]
|
||||
SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
|
||||
SUBNET2=10.185.252.200/28
|
||||
SUBNET2=10.185.252.200/28
|
||||
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
|
||||
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
|
||||
```
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker operations guide
|
||||
description: Learn how to use different tools to manage and operate BitLocker.
|
||||
ms.topic: how-to
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# BitLocker operations guide
|
||||
@ -239,7 +239,7 @@ Add-BitLockerKeyProtector E: -PasswordProtector -Password $pw
|
||||
**Example**: Use PowerShell to enable BitLocker with a TPM protector
|
||||
|
||||
```powershell
|
||||
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
|
||||
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
|
||||
```
|
||||
|
||||
**Example**: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to *123456*:
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker planning guide
|
||||
description: Learn how to plan for a BitLocker deployment in your organization.
|
||||
ms.topic: concept-article
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# BitLocker planning guide
|
||||
|
||||
@ -2,14 +2,14 @@
|
||||
title: BitLocker preboot recovery screen
|
||||
description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
|
||||
ms.topic: concept-article
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/19/2024
|
||||
---
|
||||
|
||||
# BitLocker preboot recovery screen
|
||||
|
||||
During BitLocker recovery, the *preboot recovery screen* can display a custom recovery message, a custom recovery URL, and a few hints to help users finding where a key can be retrieved from.
|
||||
During BitLocker recovery, the *preboot recovery screen* is a critical touchpoint for users, offering a custom recovery message tailored to the organization's needs, a direct recovery URL for additional support, and strategic hints to assist users in locating their recovery key.
|
||||
|
||||
This article describes the information displayed in the preboot recovery screen depending on configured policy settings and recovery keys status.
|
||||
This article delves into the various elements displayed on the preboot recovery screen, detailing how policy settings and the status of recovery keys influence the information presented. Whether it's a personalized message or practical guidance, the preboot recovery screen is designed to streamline the recovery process for users
|
||||
|
||||
## Default preboot recovery screen
|
||||
|
||||
@ -72,10 +72,10 @@ There are rules governing which hint is shown during the recovery (in the order
|
||||
:::row:::
|
||||
:::column span="2":::
|
||||
In this scenario, the recovery password is saved to a file
|
||||
|
||||
|
||||
> [!IMPORTANT]
|
||||
> It's not recommend to print recovery keys or saving them to a file. Instead, use Microsoft account, Microsoft Entra ID or Active Directory backup.
|
||||
|
||||
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
:::image type="content" source="images/preboot-recovery-hint.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-hint.png" border="false":::
|
||||
@ -92,7 +92,7 @@ There are rules governing which hint is shown during the recovery (in the order
|
||||
- saved to Microsoft account
|
||||
- not printed
|
||||
- not saved to a file
|
||||
|
||||
|
||||
**Result:** the hints for the custom URL and the Microsoft account (**https://aka.ms/myrecoverykey**) are displayed.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
@ -110,7 +110,7 @@ There are rules governing which hint is shown during the recovery (in the order
|
||||
- saved to Active Directory
|
||||
- not printed
|
||||
- not saved to a file
|
||||
|
||||
|
||||
**Result:** only the custom URL is displayed.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
@ -129,7 +129,7 @@ There are rules governing which hint is shown during the recovery (in the order
|
||||
- saved to Microsoft Entra ID
|
||||
- printed
|
||||
- saved to file
|
||||
|
||||
|
||||
**Result:** only the Microsoft account hint (**https://aka.ms/myrecoverykey**) is displayed.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
@ -149,12 +149,12 @@ There are rules governing which hint is shown during the recovery (in the order
|
||||
- saved to file
|
||||
- creation time: **1PM**
|
||||
- key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
|
||||
|
||||
|
||||
The recovery password #2 is:
|
||||
- not backed up
|
||||
- creation time: **3PM**
|
||||
- key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
|
||||
|
||||
|
||||
**Result:** only the hint for the successfully backed up key is displayed, even if it isn't the most recent key.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
@ -175,15 +175,130 @@ There are rules governing which hint is shown during the recovery (in the order
|
||||
- Saved to Microsoft Entra ID
|
||||
- creation time: **1PM**
|
||||
- key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
|
||||
|
||||
|
||||
The recovery password #2 is:
|
||||
- Saved to Microsoft Entra ID
|
||||
- creation time: **3PM**
|
||||
- key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
|
||||
|
||||
|
||||
**Result:** the Microsoft Entra ID hint (**https://aka.ms/aadrecoverykey**), which is the most recent key saved, is displayed.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
:::image type="content" source="images/preboot-recovery-multiple-passwords-multiple-backups.png" alt-text="Screenshot of the BitLocker recovery screen showing the key ID of the most recent key." lightbox="images/preboot-recovery-multiple-passwords-multiple-backups.png" border="false":::
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
|
||||
## Additional recovery information screen
|
||||
|
||||
Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen enhances the recovery error information. The recovery screen provides more detailed information about the nature of the recovery error, empowering users to better understand and address the issue.
|
||||
|
||||
:::row:::
|
||||
:::column span="2":::
|
||||
Users have the option to review additional information about the recovery error by pressing the <Kbd>Alt</kbd> key.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
:::image type="content" source="images/preboot-recovery-additional.png" alt-text="Screenshot of the BitLocker recovery screen highlighting the Alt keyboard button to access the recovery information screen." lightbox="images/preboot-recovery-additional.png" border="false":::
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
:::row:::
|
||||
:::column span="2":::
|
||||
The **Additional recovery information** screen contains an *error category* and a *code*, which you can use to retrieve more details from the next section of this article.
|
||||
:::column-end:::
|
||||
:::column span="2":::
|
||||
:::image type="content" source="images/preboot-recovery-additional-recovery-information.png" alt-text="Screenshot of the BitLocker recovery information screen." lightbox="images/preboot-recovery-additional-recovery-information.png" border="false":::
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
|
||||
The next sections describe the codes for each BitLocker error category. Within each section there's a table with the error message displayed on the recovery screen, and the cause of the error. Some tables include possible resolution.
|
||||
|
||||
The error categories are:
|
||||
|
||||
- [Initiated by user](#initiated-by-user)
|
||||
- [Code integrity](#code-integrity)
|
||||
- [Device lockout](#device-lockout)
|
||||
- [Boot configuration](#boot-configuration)
|
||||
- [TPM](#tpm)
|
||||
- [Protector](#protector)
|
||||
- [Unknown](#unknown)
|
||||
|
||||
### Initiated by user
|
||||
|
||||
| Error code | Error cause | Resolution|
|
||||
|-|-|-|
|
||||
|`E_FVE_USER_REQUESTED_RECOVERY`|The user explicitly entered recovery mode from a screen with the option to `ESC` to recovery mode.||
|
||||
|`E_FVE_BOOT_DEBUG_ENABLED`|Boot debugging mode is enabled. |Remove the boot debugging option from the boot configuration database.|
|
||||
|
||||
### Code integrity
|
||||
|
||||
Driver signature enforcement is used to ensure code integrity of the operating system.
|
||||
|
||||
| Error code | Error cause |
|
||||
|-|-|
|
||||
|`E_FVE_CI_DISABLED`|Driver signature enforcement is disabled.|
|
||||
|
||||
### Device lockout
|
||||
|
||||
Device lockout threshold functionality allows an administrator to configure Windows sign in with BitLocker protection. After the configured number of failed Windows sign in attempts, the device reboots and can only be recovered by providing a BitLocker recovery method.
|
||||
|
||||
To take advantage of this functionality, you must configure the policy setting **Interactive logon: Machine account lockout threshold** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**. Alternatively, use the [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) **MaxFailedPasswordAttempts** policy setting, or the [DeviceLock Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy).
|
||||
|
||||
| Error code | Error cause | Resolution|
|
||||
|-|-|-|
|
||||
|`E_FVE_DEVICE_LOCKEDOUT`|Device lockout triggered due to too many incorrect sign in attempts.|A BitLocker recovery method is required to return to the sign in screen.|
|
||||
|`E_FVE_DEVICE_LOCKOUT_MISMATCH`|The device lockout counter is out of sync. |A BitLocker recovery method is required to return to the sign in screen.|
|
||||
|
||||
### Boot configuration
|
||||
|
||||
The *Boot Configuration Database (BCD)* contains critical information for the Windows boot environment.
|
||||
|
||||
| Error code | Error cause | Resolution|
|
||||
|-|-|-|
|
||||
|`E_FVE_BAD_CODE_ID`<br><br>`E_FVE_BAD_CODE_OPTION`|BitLocker entered recovery mode because a boot application changed.<br>BitLocker tracks the data inside the BCD and BitLocker recovery can occur when this data changes without warning. <br><br>Refer to the recovery screen to find the boot application that changed.|To remediate this issue, restore the BCD configuration. A BitLocker recovery method is required to unlock the device if the BCD configuration can't be restored before booting.|
|
||||
|
||||
For more information, see [Boot Configuration Data settings and BitLocker](bcd-settings-and-bitlocker.md).
|
||||
|
||||
### TPM
|
||||
|
||||
The Trusted Platform Module (TPM) is cryptographic hardware or firmware used to secure a device. BitLocker creates a *TPM protector* to manage protection of the encryption keys used to encrypt your data.
|
||||
|
||||
At boot, BitLocker attempts to communicate with the TPM to unlock the device and access your data.
|
||||
|
||||
| Error code | Error cause |
|
||||
|-|-|
|
||||
|`E_FVE_TPM_DISABLED` | A TPM is present but is disabled for use before or during boot.|
|
||||
|`E_FVE_TPM_INVALIDATED` | A TPM is present but invalidated.|
|
||||
|`E_FVE_BAD_SRK` | The TPM's internal Storage Root Key is corrupted.|
|
||||
|`E_FVE_TPM_NOT_DETECTED` | The booting system doesn't have or doesn't detect a TPM.|
|
||||
|`E_MATCHING_PCRS_TPM_FAILURE`| The TPM unexpectedly failed when unsealing the encryption key.|
|
||||
|`E_FVE_TPM_FAILURE` | Catch-all for other TPM errors.|
|
||||
|
||||
For more information, see [Trusted Platform Module Technology Overview](../../../hardware-security/tpm/trusted-platform-module-overview.md) and [BitLocker and TPM](index.md#bitlocker-and-tpm).
|
||||
|
||||
### Protector
|
||||
|
||||
#### TPM protectors
|
||||
|
||||
The TPM contains multiple Platform Configuration Registers (PCRs) that can be used in the validation profile of the BitLocker TPM protector. The PCRs are used to validate the integrity of the boot process, that is, that the boot configuration and boot flow hasn't been tampered with.
|
||||
|
||||
BitLocker recovery can be the result of unexpected changes in the PCRs used in the TPM protector validation profile. Changes to PCRs not used in the TPM protector profile don't influence BitLocker.
|
||||
|
||||
| Error code | Error cause |Resolution|
|
||||
|-|-|
|
||||
|`E_FVE_PCR_MISMATCH`|The device's configuration changed. <br><br>Possible causes include:<br>- A bootable media is inserted. Removing it and restarting your device might fix this problem<br>- A firmware update was applied without updating the TPM protector| A recovery method is required to unlock the device.|
|
||||
|
||||
For more examples, see [BitLocker recovery scenarios](recovery-overview.md#bitlocker-recovery-scenarios).
|
||||
|
||||
#### Special cases for PCR 7
|
||||
|
||||
If the TPM protector uses PCR 7 in the validation profile, BitLocker expects PCR 7 to measure a specific set of events for Secure Boot. These measurements are defined in the UEFI spec. For more information, see [Static Root of Trust Measurements](/previous-versions/windows/hardware/hck/jj923068(v=vs.85)#appendix-a-static-root-of-trust-measurements)
|
||||
|
||||
| Error code | Error cause |Resolution|
|
||||
|-|-|-|
|
||||
|`E_FVE_SECUREBOOT_DISABLED`|Secure Boot has been disabled. To access the encryption key and unlock your device, BitLocker expects Secure Boot to be on. | Re-enabling Secure Boot and rebooting the system might fix the recovery issue. Otherwise, a recovery method is required to access the device.|
|
||||
|`E_FVE_SECUREBOOT_CHANGED`|The Secure Boot configuration unexpectedly changed. The boot configuration measured in PCR 7 changed. <br>This may be either because of:<br>- An additional measurement currently present that wasn't present when BitLocker updated the TPM protector<br>- A missing measurement that was present when BitLocker last updated the TPM protector but now isn't present<br>- An expected event has a different measurement | A recovery method is required to unlock the device.|
|
||||
|
||||
### Unknown
|
||||
|
||||
| Error code | Error cause | Resolution|
|
||||
|-|-|-|
|
||||
|`E_FVE_RECOVERY_ERROR_UNKNOWN`| BitLocker entered recovery mode because of an unknown error. | A recovery method is required to unlock the device.|
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker recovery overview
|
||||
description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
|
||||
ms.topic: how-to
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# BitLocker recovery overview
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker recovery process
|
||||
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
|
||||
ms.topic: how-to
|
||||
ms.date: 10/30/2023
|
||||
ms.date: 06/18/2024
|
||||
---
|
||||
|
||||
# BitLocker recovery process
|
||||
@ -83,7 +83,7 @@ function Get-EntraBitLockerKeys{
|
||||
foreach ($keyId in $keyIds) {
|
||||
$recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
|
||||
Write-Host -ForegroundColor White " Key id: $keyid"
|
||||
Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
|
||||
Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
|
||||
}
|
||||
} else {
|
||||
Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"
|
||||
|
||||
Reference in New Issue
Block a user