Troubleshoot Common Issues with BitLocker
BitLocker, the Windows full-disk encryption program, can be enabled on Windows devices with the BitLocker security policy in Hexnode. This encryption helps to secure the integrity of the device even in compromised environments by encrypting the entire OS volume in the hard disk and by verifying the boot process integrity.
1. BitLocker policy association fails as the system cannot find the specified file.
When you are associating the Windows BitLocker security policy through Hexnode, it fails and returns the error message:
“Unable to turn on BitLocker as the system cannot find the file specified. Resetting the REAgent.xml file may help in resolving the issue.”
If you are directly turning on BitLocker on such devices without the UEM policy, the OS will throw an error message: System cannot find the file specified.
To resolve this issue, you have to reset the REAgent.xml file on the device. To do so,
- Find your target Windows device and open the File Explorer by clicking the keys Windows and E together.
- Head on to C:\Windows\System32\Recovery.
- Find the REAgent.xml file and right-click on it.
- Click on Rename to rename the file REAgent.old.
- Click on Yes in the prompt you receive.
After successfully resetting the REAgent.xml file, reassociate the BitLocker policy with the device.
2. The policy doesn’t reach the target device
The applied BitLocker policy fails to reach the device end.
- The device doesn’t have an active internet connection.
- The device is not listed under the Policy Targets.
- Establish an active network connection on the device for the policy to take effect.
- Check whether the device is listed as a target under the Policy Targets tab of the same BitLocker policy.
3. The policy reaches the device, but BitLocker settings are not getting applied to the device
The BitLocker policy pushed from the Hexnode portal reaches the device end, but some BitLocker settings are not getting applied to the devices.
Some BitLocker settings are not supported on all Windows versions. Also, BitLocker may not work on all hardware.
Make sure the devices satisfy the BitLocker software or hardware requirements. Check out BitLocker CSP for details on the supported Windows versions for each BitLocker setting. Also, see the hardware requirements needed for BitLocker encryption.
Here’s the list of some common error messages shown in Windows Event Viewer (Applications and Services logs > Microsoft > Windows > BitLocker API), their causes and possible remedies.
1. A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
The error message indicates that the devices do not possess a compatible TPM chip.
The device may not appear to have a TPM chip, or the device BIOS has disabled it.
Ensure that the device BIOS has enabled TPM. Run the below PowerShell command to obtain information about the Trusted Platform Module (TPM) on the computer:
Besides, verify that the TPM status in the TPM management console shows the following:
- Ready (TPM 2.0)
- Initialized (TPM 1.2)
2. BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
The error message indicates that the device contains bootable media (CD or DVD).
The BitLocker Drive Encryption records the device configuration in order to establish a baseline during the provisioning process. If it detects any changes to the device configuration later, it will enter into BitLocker recovery mode. To combat this scenario, the process stops if it finds any removable bootable media on the device.
Try removing the bootable media from the device and then restart it. Then verify the encryption status after the device restart.
3. WinRE is not configured
This error message indicates that the device is incapable of supporting encryption as Windows Recovery Environment (WinRE) is not properly configured.
The provisioning process cannot start unless Windows Recovery Environment (WinRE) is available on the device.
Resolve the issue by verifying the following:
- Configuration of the disk partitions
- WinRE status
- Configuration of Windows Boot Loader
4. Contact the computer manufacturer for BIOS upgrade instructions
Encryption cannot be enabled on the OS drive.
The device must have legacy BIOS that is not compatible with BitLocker device encryption.
To check the BIOS mode, start with the below steps:
- Click the Start menu and search for msinfo32.
- Check that the BIOS Mode setting is not Legacy. If it is Legacy, switch it to UEFI or EFI mode.
5. BitLocker cannot use Secure Boot for integrity
Cannot read the Unified Extensible Firmware Interface (UEFI) variable ‘Secureboot’ for integrity.
Secure Boot should be turned on for BitLocker device encryption.
Verify the Platform Configuration Register (PCR) validation profile of the TPM and the state of Secure Boot.
6. Drive Encryption cannot be applied to this drive
Cannot enable encryption on OS drives due to conflicting Group Policy settings for recovery options.
Check out the possible Group Policy conflicts to resolve this issue.