none
BitLocker Common issue and how to troubleshoot RRS feed

  • General discussion

  •  

    Machine at bitlocker recovery prompt at every reboot

    • BitLocker recovery prompt is different than Windows recovery.

      A typical BitLocker recovery prompt looks like this. 

    • At this screen the user must provide the 48-digit recovery key to be able to access the files on the OS.
    • If the user is reporting that the machine is going on BitLocker recovery prompt at every system restart.  We need to verify the following-
    • OS build version
    • Are we seeing this issue with a particular OEM or system model?
    • Is the issue occurring across different OEMs or models?
    • TPM spec version (1.2 or 2.0)
    • Platform mode- (Legacy or UEFI)
    • When do we see the recovery prompt?- During fresh OS deployment/After applying windows update/After any application changes/Any hardware change/After firmware or BIOS update/After any GPO update.

     

    Machine at BitLocker recovery prompt and user doesn’t know where to look for the recovery key.

    • Ideally an administrator needs to be aware where they have backed up the BitLocker recovery key
    • Common backup locations are-
    • Active Directory computer objects
    • MBAM – Self-service portal or Helpdesk portal (for advanced user, it can be retrieved from the MBAM recovery and hardware database by accessing the SQL server)
    • Azure AD
    • Locally saved on a removable drive or a network share path or it could have been locally saved on a drive that is not encrypted.

     

    Machine not encrypting

    This is a scenario during first time BitLocker or OS deployment.

    • How are we initiating the BitLocker encryption? (BitLocker GPO, MBAM, control panel, manage-bde)
    • What is the error?
    • OS build version
    • Are we seeing this issue with a particular OEM or system model?
    • Is the issue occurring across different OEMs or models?
    • TPM spec version (1.2 or 2.0)
    • Platform mode- (Legacy or UEFI)
    • Check the pre-requisites-
    • System reserved partition
    • Recovery partition (reagentc /info)
    • TPM in ready status

     

    Bitlocker pre-provisioning not working

    BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled.

    • OS build version
    • Are we seeing this issue with a particular OEM or system model?
    • Is the issue occurring across different OEMs or models?
    • Platform mode- (Legacy or UEFI)
    • Is TPM present? If yes, check the version (1.2 or 2.0)
    • Where is the pre-provisioning run from? (MDT, SCCM, 3rd party deployment tool)
    • Is it a custom image?

     

    Go Back


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, January 2, 2019 7:15 AM
    Owner