3,085 questions
Hi VJ
Do you get any more details in Event Logs > Applications and Services Logs > Microsoft > Windows > MBAM?
Bitlocker encryption not working on some newly built Laptops
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 33%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Sri
1
Reputation point
Hello,
We have MBAM environment to manage encryption on Windows 10 workstations. After the laptop is handed over, the end user gets the pop up from MBAM via GPO to enter the PIN and encrypt the device. The pop up does come but after entering the PIN it does not encrypt the device.
Errors observed :
- At least one drive on this computer could not be encrypted
The pop keeps coming every hr due but every time the encryption could not get completed
Following steps were tried
- Restart MBAM service on workstation
- Launch the MBAM UI directly from "C:\Program files\Microsoft\MDOP MBAM\MBAMClientUI.exe"
- Run gpupdate and reboot
Fix
- If we manually run "manage-bde -on c" and from cmd then reboot it works fine with the MBAM pop up wizard What this command line does - Is it specific to device settings ? How can i fix it for multiple devices ?
Regards
VJ
Windows for business Windows Client for IT Pros Devices and deployment Configure application groups
{count} votes
-
Teemo Tang 11,466 Reputation points2021-05-12T07:18:24.213+00:00 If you resolved it using our solution, please click "Accept Answer" on a reply to help other community members find the helpful reply quickly.
Sign in to comment
6 answers
Sort by: Most helpful
-
-
Teemo Tang 11,466 Reputation points
2021-05-10T07:06:50.793+00:00 Hi VJ,
Using only the manage-bde -on <drive letter> command will encrypt the operating system volume with a TPM-only protector and no recovery key.
In your scenario, execute “manage-bde -on c” command will encrypt C partition with a TPM-only protector and turn on BitLocker, doesn’t use any other secure protectors such as passwords or PIN.
Source:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker#bkmk-managebdeThere is a similar case, let’s search solution here:
https://www.reddit.com/r/SCCM/comments/hyquk4/mbam_encryption_not_starting_automatically_1910/On the other hand, you could use startup/login script to run manage-bde -on c on your clients, detail steps here:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789190(v=ws.11)-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
Sri 1 Reputation point
2021-05-10T13:06:56.627+00:00 Hi Colin & Teemo,
This device has a fully functional Bitlocker PIN now after the commands was run manually and encryption also is working
I see these in MBAM Operational logs even today. They were there also when the device was not encrypted
1) Incorrect function.
2) The process cannot access the file because it is being used by another process.
These in the MBAM Admin logs
1) The system cannot find the file specified.
As for the troubleshooting steps that were followed there is an additional step which I did not mention before
1) Open cmd with admin rights and run "manage-bde -on c: "
2) Reboot and run "manage-bde -status "
3) Make sure encryption is 100%
4) Run "manage-bde -protectors -add C: -TPMAndPIN" to set the PIN.So i am wondering why the automatic MBAM wizard gives an error after the PIN is entered while encrypting. If the above four steps are followed in the same device manually, then it works
Regards
VJ
-
Teemo Tang 11,466 Reputation points
2021-05-11T02:04:25.833+00:00 Debugging windows log is beyond scope of forums support so if further assistance were needed you could open a request ticket with Microsoft support.
https://support.serviceshub.microsoft.com/supportforbusiness
Sign in to comment -
-
Sri 1 Reputation point
2021-05-10T13:09:13.333+00:00 Hi Teemo,
This URL does not open
Regards
VJ
-
Teemo Tang 11,466 Reputation points
2021-05-11T02:05:10.48+00:00 Ok, please refer to this link:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/assign-logon-script-profile-local-user
Sign in to comment -
-
Colin Ford 1,026 Reputation points2021-05-10T20:26:04.07+00:00 On a device with the issue, instead of running the manage-bde.exe commands can you remove and re-install the MBAM client manually and see if that works? Does this happen to all of your devices or just a handful?