BitLocker Troubleshooting

This article addresses some common issues during the BitLocker encryption process and provides guidance to troubleshoot these issues.

McAfee Troubleshooting

NOTE: The MBAM Client does not start BitLocker Drive Encryption actions if a remote desktop protocol connection is active. All remote console connections must be closed and a user must be logged on to a console session before BitLocker Drive Encryption begins.

McAfee Software did not fully uninstalled

If the McAfee software does not fully uninstall try the following steps in order.

Download and Run as Admin: the McAfee Removal Tool (note: tool expires 90 days from the when McAfee created the file.)

Trusted Platform Module (TPM) Troubleshooting

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys.

Bios Update

BIOS may require an update to resolve repeated TPM errors, check with hardware vendor to see if an update is available.

WARNING: To avoid having to preform BitLocker recovery when updating the BIOS BitLocker must be suspended one of the following actions:

When downloading the BIOS select “BitLocker is enabled” or
From PowerShell as Admin, enter cmdlet: Suspend-BitLocker -Mountpoint "C:"

TpmReady: False

To determine whether a TPM chip complies with latest Windows standards, From PowerShell as Admin, enter cmdlet: Get-TPM output should be similar too TpmReady: True

This image has an empty alt attribute; its file name is image.png — Example – TpmReady: True

If output is equal to TpmReady: False, please attempt to reset the TPM via Clear TPM actions.

If attempts to Clear TPM fails to reset the TPM, launch a PowerShell as Admin, enter cmdlet: Initialize-Tpm -AllowClear -AllowPhysicalPresence the return output should be similar to

TPM Not enabled in BIOS

To enable the TPM reboot the system and then enter BIOS options
Look for the TPM option and enable TPM
Example on Dell BIOS

This image has an empty alt attribute; its file name is Dell-BIOS-TPM-setting.png

Clear TPM

If event Viewer logs are saying anything about TPM errors

open the TPM management console by running TPM.msc as admin
then click on clear TPM
After selecting reboot there will be a mandatory verification to clear TPM before system will reboot to windows

This image has an empty alt attribute; its file name is clear-TPM-1024x732.png

Open the Windows Defender Security Center app.

This image has an empty alt attribute; its file name is Win-def-sec-app-1024x742.png

Click Device security.
Click Security processor details.

This image has an empty alt attribute; its file name is Security-processor-TPM.png

Click Security processor troubleshooting.

This image has an empty alt attribute; its file name is security-processor-troubleshooting.png

Click Clear TPM.

This image has an empty alt attribute; its file name is clear-TPM1-1024x739.png

You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
After the PC restarts, your TPM will be automatically prepared for use by Windows 10.

TPM Management Console fails to load causing BitLocker Suspended

If TPM management console fails to load and BitLocker status is suspended.

If ‘Clear TPM‘ action does not resolve the issue. Please attempt to following actions:

Review the TPM configurations setting in the system’s BIOS.
If the TPM is enable, then toggle the setting between disable/enable.
Restart the system.
After reboot, please attempt to ‘Resume Protection.’

It is highly recommended the manual reverification of the system’s Key Escrow. Do not assume that the system’s Recovery Key is functioning properly after a TPM failure.

Microsoft BitLocker Administration and Monitoring (MBAM) Troubleshooting

Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption.

MBAM Logs

Please review MBAM logs in Event Viewer for possible causes of issues such as TPM not being active, not able to communicate with server etc.

PATH: Event Viewer/Application and Services logs/Microsoft/Windows/MBAM/

This image has an empty alt attribute; its file name is MBAM-event-viewer-1024x476.jpg — Example of MBAM/Admin Logs

MBAM Stalling

MBAMClientUI.exe is Microsoft BitLocker Administration and Monitoring (MBAM) Client software.

Browse to: C:\Program Files\Microsoft\MDOP MBAM
Right Click on and Run as Administrator: MBAMClientUI.exe
Within 30-60 secs, you should see (but not always) the BitLocker Drive Encryption Notification pop up and icon in your notification area.

Click on the notification pop up and you should see the encryption in progress bar status of the OS:Drive.

encryption_in_progress — Encryption in progress bar

Or Run As Admin: PowerShell cmdlt. manage-bde -status

BitLocker Drive Encryption Notification Utility

If the encryption status does not pop up. You can manually launch the notification utility by searching for fvenotify.exe

This image has an empty alt attribute; its file name is image-22.png

Pop-Up - BitLocker could not be enable

In some cases, even after manually running MBAMClientUI.exe a stalled systems would still not encrypt. This could be because but not limited to old hardware, MBR to GPT conversion failure, operating system (OS) upgraded, Windows Recovery Environment (WinRE) corrupted, or general unknown reasons. The following instructions are to have you perform a Startup Repair on the effected system.

Example Error: BitLocker could not be enable.

Open Setting > Update & Security > Recovery. Click Restart Now.

After the restart, Choose options Troubleshoot > Advance Options > Startup Repair.

When prompted select the Administrator and password account. Then allow the Startup Repair process to complete.
Once the system is restart. Run as Admin a PowerShell cmdlt.

manage-bde -status

Notice that the system does not have a “Key Protectors” assigned to the C:Drive. Thus allow the system 1-2 mins to re-apply BitLocker Encryption policy.

Once you see “Numerical Password” reappear as a “Key Protectors.” Right Click on and Run as Administrator: MBAMClientUI.exe
Re-run the manage-bde cmdlt and you should see that the system has start the encryption process.

Invalid NameSpace Error

If a ‘manage-bde’ command returns back as Invalid Namespace error.

Run as Admin a cmd prompt the following command.

mofcomp.exe c:\windows\system32\wbem\win32_encryptablevolume.mof

Next re-run the ‘manage-bde’ command.

manage-bde -status

Self-Encrypting Disk (SED) Solid State Drives (SSD)

A Self-Encrypting Disk (SED) Solid State Drives (SSD) may try to encrypt using the hardware encryption but this maybe vulnerable to attack, BitLocker should be used to enforce software encryption. This can be verified by doing the following:

Run ‘manage-bde.exe -status’ from elevated command prompt.
If none of the drives listed report “Hardware Encryption” for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.

AD/MECM Policy Troubleshooting

Please utilize the BigFix Web Report: GS: Windows Workstations – BitLocker Status to verify that both GPOs “DI – USGS Windows Client FIPS Enabled” and “ITSOT – BitLocker Settings” have been applied to the targeted system.

If you find systems that are not applying the GPOs correctly despite having successfully running the cmdlet: gpupdate /force , please reference the TST page: “Fixing Group Policy Update Failures Due to LocalGPO Processing Errors” to attempt at resolving the issue.