deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Metadata/style update BitLocker 12

Browse Source
This commit is contained in:
Frank Rojas
2022-11-15 22:42:36 -05:00
parent d7d8da8771
commit 6f9260d8a5
6 changed files with 363 additions and 297 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -1,5 +1,5 @@
---
title: BitLocker cannot encrypt a drive known issues
title: BitLocker can't encrypt a drive known issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
ms.reviewer: kaushika
ms.technology: itpro-security
@ -14,58 +14,63 @@ ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known issues
# BitLocker can't encrypt a drive: known issues
This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If you have determined that your BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
> If it is determined that the BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive
## **Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive**
When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following:
When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear:
> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
> **ERROR: An error occurred (code 0x80310059): BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. NOTE: If the -on switch has failed to add key protectors or start encryption, you may need to call manage-bde -off before attempting -on again.**
### Cause
### Cause of **Error 0x80310059**
This issue may be caused by settings that are controlled by group policy objects (GPOs).
### Resolution
### Resolution for **Error 0x80310059**
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
> Follow the steps in this section carefully. Serious problems might occur if the registry is modified incorrectly. Before modifying the registry, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
**`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`**
1. Delete the following entries:
- **OSPlatformValidation\_BIOS**
- **OSPlatformValidation\_UEFI**
- **PlatformValidation**
2. Delete the following entries:
1. Exit registry editor, and turn on BitLocker drive encryption again.
- **`OSPlatformValidation_BIOS`**
- **`OSPlatformValidation_UEFI`**
- **`PlatformValidation`**
## "Access is denied" message when you try to encrypt removable drives
3. Exit registry editor, and turn on BitLocker drive encryption again.
You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO WINDOWS 10 VERSIONS THAT BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## **Access is denied** message when attempting to encrypt removable drives
A computer is running Windows 10, version 1709 or version 1607. Encryption is attempted on a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
2. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
1. Follow the instructions on the page to enter your password.
3. Follow the instructions on the page to enter a password.
1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
4. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
1. The **Starting encryption** page displays the message "Access is denied."
5. The **Starting encryption** page displays the message **Access is denied.**
You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
The message is received on any computer that runs Windows 10 version 1709 or version 1607, when any USB drive is used.
### Cause
### Cause of **Access is denied** message
The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
@ -73,35 +78,37 @@ To verify that this issue has occurred, follow these steps:
1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
1. At the command prompt, enter the following command:
2. At the command prompt, enter the following command:
```console
C:\>sc sdshow bdesvc
```
The output of this command resembles the following:
The output of this command resembles the following output:
> `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
3. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
If you see NT AUTHORITY\INTERACTIVE (as highlighted) in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
If `NT AUTHORITY\INTERACTIVE` is seen as highlighted in the output of this command, this line is the cause of the issue. Under typical conditions, the output should resemble the following output instead:
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
### Resolution
### Resolution for **Access is denied** message
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```powershell
``` powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```
1. Restart the computer.
2. Restart the computer.
The issue should now be resolved.
The issue should now be resolved.
-->