Here is my go-to top-down method for troubleshooting BitLocker encryption issues on Windows devices. Covering procedural method and key event logs and commands you can’t miss!

1. Prerequisites

  • Administrative privileges on the device
  • The BitLocker recovery key (if the device is in a recovery state)
  • A working internet connection (if using Intune)

2. Identify the BitLocker Issue

The first step in troubleshooting any BitLocker issues is to identify the exact problem. This could be a failure to encrypt, an unexpected prompt for a recovery key, an inability to access the drive, the policy failing to apply, etc.

a. Troubleshooting BitLocker – Windows

  1. Check BitLocker Status on Windows 10:
    • Open an elevated command prompt (right-click Command Prompt and select “Run as administrator”).
    • Type manage-bde -status and press Enter. This command provides the status of BitLocker on all drives and provides information like the encryption method, percentage of encryption, etc.
BitLocker Troubleshooting Command

b. Troubleshooting BitLocker – Intune

  1. Check BitLocker Recovery Key:
    • If the device is in a recovery state, you will need the BitLocker recovery key to unlock the device. You can obtain this key from the Azure portal:
      • Sign in to the Azure portal.
      • Select Azure Active Directory > Devices > All Devices.
      • Select the device for which you need the recovery key.
      • In the BitLocker Keys, select Recovery keys.
      • Copy the recovery key.
  2. Check Device Compliance Policy in Intune:
  3. Check BitLocker Policy in Intune:
    • In the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles.
    • Find and select your BitLocker configuration policy.
    • Check the settings of the policy. Make sure the policy is configured correctly, and that it’s assigned to the appropriate users or groups.
  4. Initiate a manual sync: Before we deep dive in the encryption reports, the next step is to initiate a sync with the Intune service manually from the affected device before collecting data. You can do this by navigating to Settings > Accounts > Access work or school > Select your work or school account > Info > Device sync status > Sync​.

c. Troubleshooting BitLocker – Windows Event Logs

  1. Review Event Logs on Windows 10:
    • BitLocker logs its events in the Windows Event Viewer. You can check these logs to get more information about any issues.
    • Open Event Viewer (search for it in the Start menu).
    • Go to Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management.
    • Look for any warning or error messages that might give more information about the problem.
BitLocker API Log
  1. Check the MDM Diagnostics Tool:
    • The MDM Diagnostics Tool is a tool in Windows that can provide logs about the device’s communication with Intune.
    • Open an elevated command prompt and navigate to C:\Windows\System32.
    • Run the command mdmdiagnosticstool.exe -out %userprofile%\desktop\mdm.
    • This will create a mdm folder on your desktop containing the logs.
MDMDiagnostic Logs
  1. Re-apply BitLocker Policy:
    • If everything seems to be in order, but BitLocker is still not functioning correctly, you can try re-applying the BitLocker policy.
    • In the Microsoft Endpoint Manager admin center, go to Devices > Configuration profiles.
    • Find and select your BitLocker configuration policy.
    • Select Properties > Assignments > Edit.
    • Reconfirm the assignments, then select Review + save > Save.
  2. Contact Microsoft Support:
    • If all else fails, it might be best to contact Microsoft

3. Windows 10/11 Key Event Log Files

  1. Collect event log data: There are several logs you can collect data from to help troubleshoot encryption status and policies:
    • Mobile device management (MDM) agent event log: This log can help determine if there was an issue processing the Intune policy or applying CSP settings. The log location is at C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx​​.
    • BitLocker-API management event log: This is the main event log for BitLocker. It is useful if the MDM agent processed the policy successfully and there are no errors in the MDM event log. The log location is at C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx​​.
    • System event log: This log is useful for troubleshooting hardware-related issues, such as problems with the TPM. The log location is at C:\Windows\System32\winevt\Logs\System.evtx​​.
    • Task scheduler operational event log: This log is useful for troubleshooting scenarios where the policy has been received from Intune, but BitLocker encryption has not successfully initiated. The log must be manually enabled and run​​.
  2. Identify common errors and solutions:
    • Failed to enable Silent Encryption: Conflicting policy settings that cannot be implemented during silent encryption are also logged. The solution is to configure the compatible TPM startup PIN to Blocked to resolve conflicting Group Policy settings​​.
    • TPM not available: If the TPM is not available, this can cause an error. The solution is to ensure there is a TPM available on the device and if it is present, check the status via TPM.msc or the PowerShell cmdlet get-tpm​​.
    • Un-Allowed DMA capable bus: If Windows has detected an attached Direct memory access (DMA)-capable device that might expose a DMA threat, this error can occur. The solution is to verify that the device has no external DMA ports with the original equipment manufacturer (OEM) and add the device to the allowed list if it is an internal DMA interface/bus​.

4. Useful Windows BitLocker & TPM Commands

Here’s a list of useful BitLocker and TPM commands for troubleshooting:

BitLocker Commands:

  • manage-bde -status: This command provides the status of BitLocker, including encryption progress.
  • manage-bde -on C:: This command turns on BitLocker for drive C:.
  • manage-bde -off C:: This command turns off BitLocker for drive C:.
  • manage-bde -protectors -get C:: This command shows the keys protecting the BitLocker volume.
  • manage-bde -unlock C: -RecoveryPassword YOUR-BITLOCKER-RECOVERY-KEY: This command unlocks the BitLocker drive C: with your BitLocker Recovery Key.
  • manage-bde -ForceRecovery C:: This command forces a BitLocker protection to go into recovery mode on drive C:.

TPM Commands:

  • get-tpm: This PowerShell cmdlet retrieves the status of the Trusted Platform Module (TPM) on the local computer.
  • initialize-tpm: This PowerShell cmdlet initializes the TPM. This command should be used with caution as it resets the TPM and may require you to enter the recovery key to boot the system.
  • clear-tpm: This PowerShell cmdlet clears the TPM. This command should be used with caution as it removes all keys stored in the TPM, requiring you to enter the recovery key to boot the system.
  • convertto-tpmownerauth: This PowerShell cmdlet converts a TPM owner password to the format that can be used with TPM cmdlets.
  • tpm.msc: This is not a command but opening tpm.msc from the Run dialog or command prompt opens the TPM management console, which provides information about the TPM and allows for some management tasks.

Remember, many of these commands require administrative rights to execute, and some can cause data loss if used improperly. Always make sure to have a current backup of your important data and understand the implications of the command you’re running.