locked
Bitlocker encryption not starting automatically RRS feed

  • Question

  • Hello,
    since one week my Windows 10 1703 (15063.540) installed computers don’t start automatically the Bitlocker encryption. MBAM Client is installed and the GPOs are configured. It worked properly for about 40 computers before.
    When I start encryption manually with ‘manage-bde -on c:’ the pcs will start encrypting.
    In control panel can I see that the Bitlocker settings are managed by group policy. When I don’t start encrypting manually this won’t be shown.
    What we have checked/done:
    -Reboot of MBAM server
    -Reinstall MBAM client on the computers
    -GPO settings are definitively set on the computers
    -BIOS latest version: Dell Latitude E5570, E5580, E6540

    One of the computers has already been encrypted automatically. We did a fresh Windows install and now encryption is not starting automatically on this device too.
    Any ideas?


    • Edited by stonwt Monday, August 28, 2017 1:57 PM --
    Monday, August 28, 2017 1:57 PM

Answers

  • “The behavior they are observing (about encryption not starting automatically when RDP’d) is by design. You need to be logged in at the console for BitLocker to start the enactment."
    • Marked as answer by stonwt Tuesday, November 7, 2017 7:38 AM
    Tuesday, November 7, 2017 7:36 AM

All replies

  • Hi,

    what is eventviewer in the mbam node saying ?

    /Oliver


    • Edited by SoftD Monday, August 28, 2017 2:10 PM
    Monday, August 28, 2017 2:10 PM
  • Hi,

    What does the MBAM logs in the Event log on the client machines tell you? could point to a communication issue and then it will not start encrypting. I would start by checking the event log and continue troubleshooting from there.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Monday, August 28, 2017 2:16 PM
  • The only error I see in event log is the following:
    An error occurred while sending encryption status data.
    Error code:
    -2143485939
    Details:
    The remote endpoint does not exist or could not be located.
     
    Event ID: 4
    Task Category: TransferStatusFailed
    --
    The MBAM policies were applied successfully.
    Volume ID:\\?\Volume{04c9a55c-9d9b-41e1-91f2-6bf626f7d95a}\
    --d
     
     
    But we get this error on computers where Bitlocker is running properly too.
    • Edited by stonwt Tuesday, August 29, 2017 9:23 AM --
    Tuesday, August 29, 2017 9:23 AM
  • Hi,

    can you check what manage-bde -Status says  ?

    /Oliver

    Tuesday, August 29, 2017 11:15 AM
  • manage-bde -Status:

    Volume C: [Windows]

    [OS Volume]

     

        Size:                 231,98 GB

        BitLocker Version:    None

        Conversion Status:    Fully Decrypted

        Percentage Encrypted: 0,0%

        Encryption Method:    None

        Protection Status:    Protection Off

        Lock Status:          Unlocked

        Identification Field: None

        Key Protectors:       None Found

    Wednesday, August 30, 2017 1:31 PM
  • Looks good ....

    please run bdehdcfg -driveinfo to check if the drive is prepared for bitlocker.

    /Oliver

    Wednesday, August 30, 2017 2:17 PM
  • bdehdcfg -driveinfo :

    This computer's hard drive is properly configured for BitLocker. It is not necessary to run BitLocker Setup.

    Thursday, August 31, 2017 11:12 AM
  • The error in event viewer WS_E_ENDPOINT_NOT_FOUND you mentioned earlier basically states that you ran into connectivity issues with your clients and that the webservice used for collecting encryption data was not reachable.

    Have you tried using Invoke-MBAMClientDeployment script? It allows you to initiate bitlocker encryption at the end of your deployments. Additionally, it might provide you with additional insights where the MBAM client is failing. Since your machines are domain joined, you would need to edit line 1260 in the script as follows:

    # Throw "IsDomainJoined: Failed to get WMI Win32_ComputerSystem."

    Additionally, are you encrypting your connections with the MBAM server? Can you access web services from your clients? I've seen similair issues when running a non-Microsoft load balancer which would lead to connections to MBAM servers being reset intermittently. 


    Blog - http://www.vacuumbreather.com / http://www.wcsaga.com

    Thursday, August 31, 2017 12:28 PM
  • Depending on your approach, you could consider running the PS script at the end of your deployment.

    If you run the script on one of your test clients (with the modification described above) does the encryption work or do you run into an error as well?


    Blog - http://www.vacuumbreather.com / http://www.wcsaga.com

    Thursday, August 31, 2017 1:28 PM
  • I guess I have found the cause of our problems: When the computer is installed and the first login will be via remote desktop, the encryption will not start.

    Now I opened a Microsoft support case.

    Wednesday, September 20, 2017 12:30 PM
  • strange ... , let us know what MS says about this ;-)

    /Oliver

    Wednesday, September 20, 2017 1:26 PM
  • “The behavior they are observing (about encryption not starting automatically when RDP’d) is by design. You need to be logged in at the console for BitLocker to start the enactment."
    • Marked as answer by stonwt Tuesday, November 7, 2017 7:38 AM
    Tuesday, November 7, 2017 7:36 AM
  • “The behavior they are observing (about encryption not starting automatically when RDP’d) is by design. You need to be logged in at the console for BitLocker to start the enactment."

    NOTED... I kept logging into the target computer through RDC / RDP... read that statement, logged in with VNC to the console, MBAM kicked off right away.

    thanks,

    Wednesday, September 26, 2018 6:16 PM