Troubleshoot: BitLocker Policy for Windows Devices

Symptoms

• The BitLocker policy fails to apply.
• Encryption functionality is interrupted.
• Errors indicate conflicts with non-operating system (OS) volumes or drives (hidden drives assigned a letter for example D:.

Cause

This issue often stems from conflicts with non-OS volumes that have BitLocker enabled manually or other drives that the device detects as encryptable volumes. Before enabling the JumpCloud BitLocker policy, all non-OS volumes must have BitLocker disabled to avoid interference.

Resolution

Follow these steps to identify problematic volumes, disable conflicting encryption, and reapply the policy.

Step 1: Identify Problematic Volumes

1. Disconnect all external drives (USB, external HDDs) from the device to prevent interference.
2. Open PowerShell as an administrator on the device and run the following command to list all drives and their encryption status: Get-BitLockerVolume

3. Open Disk Management and review all listed volumes. Look specifically for hidden volumes that have been assigned drive letters, for example D:.

Step 2: Disable BitLocker on Non-OS Volumes

If the output from Step 1 shows that a non-OS volume has BitLocker enabled, you must turn it off.

1. Open BitLocker Drive Encryption settings on the device.
2. Locate the relevant non-OS volume.
3. Select Turn off BitLocker.
4. Wait for the decryption process to complete before proceeding.

Step 3: Reset the BitLocker Policy in JumpCloud

Once conflicting volumes are decrypted, reapply the policy to the device.

1. Log in to the JumpCloud Admin Portal.

2. Go to Device Management > Devices.
3. Select the device and go to the Policies tab.
4. Unbind the BitLocker policy from the device and click Save Device.
5. Restart the Windows device.
6. In the Admin Portal, bind the BitLocker policy to the device again and click Save.
7. Verify the policy status.

If your BitLocker policy returns an error similar to {"state": "FAILED", "detail": "Bitlocker Protected - More than one numerical password currently set. This configuration is not supported, please ensure that the system only has one or no numerical password in place."}:

Cause

The device has multiple Recovery Keys set. This policy is failing because JumpCloud can't determine which key is ours, and can’t rotate the key properly until an admin clears the extras.

Resolution

To remove extra BitLocker Recovery Keys from a device that has its disk fully encrypted:

1. On the Windows device, open a command prompt, running it as an administrator.
2. Run the following command:  manage-bde.exe -protectors c: -get.
3. Run  manage-bde.exe -protectors c: -delete -id {ID}  to remove the extra numerical password.

If your BitLocker policy returns a “TPM Ownership has not been established” error, follow these steps:     

1. On your device, open PowerShell as an administrator and enter execute Get-Tpm into the prompt.
2. In the results, verify that TpmOwned and AutoProvisioning are set to False/Disabled. 
3. Enter Execute Enable-TpmAutoProvisioning in the prompt.
4. Reboot your device.
5. Repeat step 1 and verify that TpmOwned and AutoProvisioning are now set to True/Enabled. In the event this doesn’t occur, follow the steps in the procedure below. 

If your BitLocker policy returns a “TPM is not ready to be used on this device” error, follow these steps: 

1. Open the Run window on your device by pressing the Windows + R keys simultaneously. 
2. Enter tpm.msc into the Run window.
3. Verify that the status displays The TPM is not ready for use.
4. From the Actions menu on the Run window, select Prepare TPM.
5. Using the prompt that appears, restart your device.

6. After you restart your device, you may be prompted on the boot screen to accept changes to the TPM state. Verify these changes and accept.
7. Repeat steps 1 and 2 and verify that the TPM status displays The TPM is ready for use.

BitLocker encryption was applied via the portal, and devices showed successful encryption. However, the Bitlocker policy results show this message: “C: Volume does not have Tpm Key Protector. Non-OS volumes will not be encrypted”

Cause

An additional authentication method was enabled on the systems through GPO.

Resolution

Follow these steps to resolve the issue:

1. From Start menu, press the Windows logo key on the keyboard.
2. Type gpedit.msc command and press Enter.
3. On the Local Group Policy Editor window, follow the path: Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption.
4. Select Operating System Devices.
5. On the right pane, double-click Require additional authentication at startup.
6. Select the Disabled radio button.
7. Ensure the Allow BitLocker without a compatible TPM checkbox in the Options section is unchecked.
8. Once done, click OK to allow the changes to take effect and close the Local Group Policy Editor window.

Symptoms

• In the Admin Portal, the BitLocker policy results show the following error:
  ”You cannot call a method on a null-valued expression”
• Runing manage-bde -Status in a Command Prompt on the device returns the following error:

Cause

The "Invalid Namespace" error typically indicates an issue with Windows Management Instrumentation (WMI) on the device. This occurs if the namespace that the policy or script is attempting to access is missing, corrupt, or unavailable.

Resolution

To rebuild the WMI Repository:

1. On the affected device, open Command Prompt as an Administrator.
2. Run the following command: net stop winmgmt
   • If prompted to stop dependent services, press Y and Enter.
3. Run the following commands to reset the WMI repository:
   1. winmgmt /resetrepository
   2. net start winmgmt
4. Restart the device and rebind the BitLocker policy to it.