Fix Windows BitLocker CSP Failures: Resolving Error 0x8031005b

Deploying BitLocker encryption across Windows 10/11 fleets via Hexnode relies on the native BitLocker CSP node layout. However, if pre-existing local configurations or missing hardware prerequisites collide with your security policies, the device will silently reject encryption actions.

1. Error: “The Group Policy settings for BitLocker startup options are in conflict” (Code 0x8031005b)

The Symptom: The Hexnode action logs flag a policy push status as Failed, and the device’s local Event Viewer records a critical log alert indicating that BitLocker Drive Encryption cannot apply its startup properties.

The Underlying Logic: This specific error triggers when a silent encryption policy demands immediate volume locking via the Trusted Platform Module (TPM), but other overlapping settings within Active Directory Group Policy Objects (GPOs) or your Hexnode profile attempt to require a pre-boot startup PIN or physical startup key at the exact same time.

Auditing the Conflict via Local Client Event Logs

To verify the exact point of failure on a problem Windows terminal, open the native Event Viewer and track the following diagnostic tree path: Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management

Look for Event ID 43 or Event ID 846. The system log string will explicitly define the contradiction:

Error: Failed to enable Silent Encryption.

Exception Code: 0x8031005b

Description: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Please complete all operations before continuing.

Remediation Protocol inside Hexnode Policies

To execute silent, touchless encryption across corporate machines without confusing end-users with interactive prompts, ensure your Hexnode Windows Encryption Policy aligns with these rule settings:

1. Navigate to Policies > New Policy > Windows > Security > BitLocker.
2. Choose a Drive and enable the setting: Configure additional startup authentication settings.
3. To prevent user interaction blocks from triggering error 0x8031005b, configure the following four options uniformly:
   1. Configure TPM startup: Set to Allow TPM (or Require TPM).
   2. Configure TPM startup PIN: Set to Do not allow startup PIN with TPM.
   3. Configure TPM startup key: Set to Do not allow startup key with TPM.
   4. Configure TPM startup key and PIN: Set to Do not allow startup key and PIN with TPM.
4. Save the policy and assign it to the target device group. Run a force sync command to clear local client configuration holds.

Hexnode Remote Action Enforcement: If the policy sync doesn’t immediately begin the encryption cycle, you can bypass waiting for the next check-in. Navigate to Manage > [Select Target Device] > Actions > Security > Force BitLocker Encryption to force the process instantly over-the-air.

2. Verifying and Remediating TPM 2.0 Hardware Failures

The Symptom: The BitLocker profile pushes successfully, but the machine reports a status of “Not Encrypted” because the internal cryptographic chip is uninitialized or absent.

(Diagnostic Tip: Administrators can quickly verify the live, localized state of the drive through Hexnode’s remote terminal or a local Command Prompt by executing manage-bde -status).

The Fix Actions via Remote Administrative PowerShell: Instead of requiring manual inspection at the machine, push a remote script or use Hexnode’s terminal pipeline to evaluate hardware states natively.

Note: The following script requires elevated administrative privileges. When deployed via Hexnode’s Execute Custom Script pipeline, it automatically runs under the SYSTEM account. If testing the script locally first, ensure you are using an elevated PowerShell prompt.