Share via

BitLocker Drive Encryption Failure

Juan 0 Reputation points
2024-07-31T19:08:40.1366667+00:00

I have a device managed via Intune and silent BitLocker encryption is the only thing showing as non-compliant.

Image

In review the device, BitLocker encryption has failed, i see it throws out this prompt:

Image

I went through the device local GP settings and all settings are as they should be per below:

Image

in review event logs I get the following:

summarize

Event ID: 834 BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Event ID: 778 The BitLocker volume C: was reverted to an unprotected state.

Event ID: 851 Failed to enable Silent Encryption. Error: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information..

Event ID: 835 BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure. The event is expected to be an EV_EFI_VARIABLE_AUTHORITY event. The event data must be formatted as an EFI_VARIABLE_DATA structure with VariableName set to EFI_IMAGE_SECURITY_DATABASEGUID and UnicodeName set to 'db'.

Event ID: 851 Failed to enable Silent Encryption. Error: BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing..

I have seen one online documentation advising to go into RegEdit and change any value data of 0 or 1 and delete these entries. Is this really the only fix or could it break the policies. What about any value with 2?

Image

Image

Microsoft Security Intune Enrollment
Microsoft Security Intune Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 53,981 Reputation points Microsoft External Staff
    2024-08-01T01:33:22.3466667+00:00

    @Juan, Thanks for posting in Q&A. From your description, I know the device shows non compliant because of BitLocker not enabled. And when we check on the device, it shows there's conflict group policy setting with BitLocker. But when we check the local group policy, we find it is not set there. Please confirm if there's any domain group policy applied to this device. If yes, remove the policy from this device to avoid conflict.

    In General, settings in the policy provider registry key will be duplicated into the main BitLocker registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-protection/troubleshoot-bitlocker-policies#bitlocker-registry-key

    If there's mismatch, it will cause issue, we can consider remove these mismatch registry key. To ensure nothing affect, you can backup the registry key before we remove it.

    Please try the above suggestion and if there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Juan 0 Reputation points
    2024-08-01T23:21:09.1633333+00:00

    this matter is resolved

    you need to remove 2 keys and set UseTPM with value of 2

    0 comments
  3. Crystal-MSFT 53,981 Reputation points Microsoft External Staff
    2024-08-02T02:05:23.5066667+00:00

    @Juan, Thanks for the update. I am glad the issue is resolved. To help others who have the same issue can find the solution quickly. Please let me write a brief summary:

    Issue:

    BitLocker encryption shows non-compliant.

    Image

    In review the device, BitLocker encryption has failed, and local group policy is not set.

    Image

    Get errors in event log:

    Event ID: 834 BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

    Event ID: 778 The BitLocker volume C: was reverted to an unprotected state.

    Event ID: 851 Failed to enable Silent Encryption. Error: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information..

    Event ID: 835 BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure. The event is expected to be an EV_EFI_VARIABLE_AUTHORITY event. The event data must be formatted as an EFI_VARIABLE_DATA structure with VariableName set to EFI_IMAGE_SECURITY_DATABASEGUID and UnicodeName set to 'db'.

    Event ID: 851 Failed to enable Silent Encryption. Error: BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing..

    Resolution:

    User's image

    Thanks for your sharing and have a nice day!

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.