question

Sri-8502 avatar image
0 Votes"
Sri-8502 asked ChristianEromosele-6897 answered

Bitlocker encryption not working on some newly built Laptops

Hello,

We have MBAM environment to manage encryption on Windows 10 workstations. After the laptop is handed over, the end user gets the pop up from MBAM via GPO to enter the PIN and encrypt the device. The pop up does come but after entering the PIN it does not encrypt the device.

Errors observed :

  • At least one drive on this computer could not be encrypted

The pop keeps coming every hr due but every time the encryption could not get completed

Following steps were tried

  • Restart MBAM service on workstation

  • Launch the MBAM UI directly from "C:\Program files\Microsoft\MDOP MBAM\MBAMClientUI.exe"

  • Run gpupdate and reboot

Fix

  • If we manually run "manage-bde -on c" and from cmd then reboot it works fine with the MBAM pop up wizard

What this command line does - Is it specific to device settings ? How can i fix it for multiple devices ?


Regards

VJ

windows-10-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If you resolved it using our solution, please click "Accept Answer" on a reply to help other community members find the helpful reply quickly.

0 Votes 0 ·
ColinFord-6663 avatar image
0 Votes"
ColinFord-6663 answered

Hi VJ

Do you get any more details in Event Logs > Applications and Services Logs > Microsoft > Windows > MBAM?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

Hi VJ,

Using only the manage-bde -on <drive letter> command will encrypt the operating system volume with a TPM-only protector and no recovery key.
In your scenario, execute “manage-bde -on c” command will encrypt C partition with a TPM-only protector and turn on BitLocker, doesn’t use any other secure protectors such as passwords or PIN.
Source:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker#bkmk-managebde

There is a similar case, let’s search solution here:
https://www.reddit.com/r/SCCM/comments/hyquk4/mbam_encryption_not_starting_automatically_1910/

On the other hand, you could use startup/login script to run manage-bde -on c on your clients, detail steps here:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789190(v=ws.11)


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sri-8502 avatar image
0 Votes"
Sri-8502 answered TeemoTang-MSFT commented

Hi Colin & Teemo,

This device has a fully functional Bitlocker PIN now after the commands was run manually and encryption also is working

I see these in MBAM Operational logs even today. They were there also when the device was not encrypted

1) Incorrect function.

2) The process cannot access the file because it is being used by another process.

These in the MBAM Admin logs

1) The system cannot find the file specified.

As for the troubleshooting steps that were followed there is an additional step which I did not mention before

1) Open cmd with admin rights and run "manage-bde -on c: "
2) Reboot and run "manage-bde -status "
3) Make sure encryption is 100%
4) Run "manage-bde -protectors -add C: -TPMAndPIN" to set the PIN.

So i am wondering why the automatic MBAM wizard gives an error after the PIN is entered while encrypting. If the above four steps are followed in the same device manually, then it works

Regards

VJ

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Debugging windows log is beyond scope of forums support so if further assistance were needed you could open a request ticket with Microsoft support.
https://support.serviceshub.microsoft.com/supportforbusiness

0 Votes 0 ·
Sri-8502 avatar image
0 Votes"
Sri-8502 answered TeemoTang-MSFT commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ColinFord-6663 avatar image
0 Votes"
ColinFord-6663 answered

On a device with the issue, instead of running the manage-bde.exe commands can you remove and re-install the MBAM client manually and see if that works? Does this happen to all of your devices or just a handful?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChristianEromosele-6897 avatar image
0 Votes"
ChristianEromosele-6897 answered

Note: Ensure the MBAM updates is also installed alongside the agent. Else, it will not work. Do you see any errors in the Reporting Services: If yes, you may find this guide useful: https://techdirectarchive.com/2022/03/03/mbam-report-errors-understanding-microsoft-bitlocker-administration-and-monitoring-compliance-state-and-error-status/

Kindly ensure you access these devices interactively and also with a domain account! Local admin accounts will not work. Kindly reach out for further questions.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.