MECM 2002, Bitlocker encryption not starting automatically

xianhua 李 86 Reputation points
2021-06-22T09:40:39.847+00:00

Hello,

we have deployed a BitLocker management policy to 2 test machines, but the encryption not start automatically, and not pop-up window to start encrypt or to enter the PIN.

I have check the event logs,
in MBAM - Admin, no logs.
in MBAM - Operation, only event ID 1 and 31 presents, no error found.

BitLockerManagement_GroupPolicyHandler.log and BiLockerManagementHandler.log contains no errors.

so, any idea ?

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. HanyunZhu-MSFT 1,841 Reputation points
    2021-06-23T04:19:55.193+00:00

    Hi @xianhua 李 ,

    There are some possibilities that may cause Bitlocker Drive Encryption not to start.
    We can first confirm that whether the client agent is installed in Programs and Features.
    108394-623.png

    If it is, please check the following two points, they may cause BitLocker Drive Encryption doesn't start.

    1. Is there any remote desktop protocol connection is active? If there is, close them all.
    2. Sign in the client with a domain user account but not a local user account.
      If we sign in with a local user account, BitLocker Drive Encryption doesn't start.
      For more details, we can use this article as a reference:
      https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#deploy-a-policy

    Hope the above information is helpful to you.


    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. xianhua 李 86 Reputation points
    2021-06-24T08:09:03.37+00:00

    The problem was solved.

    I don't know which step(s) fix the problem, here is all I have do:

    1. Register SPN for the server, follow this Link
    2. BitLocker Management Policy, "Enter client checking status frequency in (Minutes): " is set to 1 minutes. This make the policy applies more frequent so that I may capture the errors.

    Soon after above changes done, one of my test machines get warmings in event log - MBAM - Admin, messages are:

    • Unable to connect to the MBAM recovery and Hardware service. error code -2143485974.
    • Unable to connect to the MBAM recovery and Hardware service. error code -2143485933.

    translate to HResult:
    -2143485974: 0x803D0005, Message: Access was denied by the remote endpoint.
    -2143485933: 0x803D0013, Message: A message containing a fault was received from the remote​ endpoint.

    google -2143485974 / 0x803D0005, no solution.
    google -2143485933 / 0x803D0013 take me to 2 website that look reasonable:

    1. Link
      It's a Known issue that Computer record may be rejected in MBAM.
      Solution is to create registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\MBAM
      Value Name: DisableMachineVerification
      Type: DWORD
      Value: 1
    2. Link
      Grand permission to NT Authority\Network Service:
      In SMSS, expand CM_xxx(MECM database) - security - Schema, right click on RecoveryAndHardwareRead, click permission, search Network Service, then check all
      check box under "Grant" column. Repeat assigning permission on RecoveryAndHardwareWrite.

    Also notice for RDP connection and domain user account, like @HanyunZhu-MSFT answers.

    thanks!