BitLocker Protection off: Update UEFI/BIOS to fix issues

When BitLocker Protection is “off” means that BitLocker encryption is currently disabled on the drive. In my case, it is disabled and the encryption did not succeeded in the first place. Therefore, we will limit our solution to this use-case. In this article, we shall discuss “BitLocker Protection off: Update UEFI/BIOS to fix issues”. Please see How to Disable BitLocker on Windows 10, how to Change BitLocker Password in Windows, and How to correctly disable BitLocker on Windows Server.

Note: There could be numerous reasons in which many endpoints report a “BitLocker protection status” set to “Off” despite encryption being enabled or disabled.

BitLocker provides information about all drives on the computer; whether or not they are BitLocker-protected, including as you can also see from the image below:

• Key protector
• Size
• BitLocker version
• Conversion status
• Percentage encrypted
• Encryption method
• Protection status
• Lock status
• Identification field

Note: You could employing other troubleshooting steps to see if the Group Policies are correctly applied or if you have a hardware/software failure that is not supported. The Windows Event Log will be helpful in this case.

Please see how to Analyze group policies applied to a user and computer account, and how to ‘Backup existing and new BitLocker Recovery Keys to Active Directory“.

What does the “Protection Off” signify

Let us explore what this error likely indicates before moving into the specific steps that resolved it. This approach helps to clarify the potential causes and provides a clearer understanding of the troubleshooting process.

1. Drive is Not Encrypted: The data on the drive is not secured with BitLocker encryption, so it is stored in plaintext. Thereby, making it readable without any decryption keys. This is the scenario I have encountered.
2. Decryption is Completed: If BitLocker was previously enabled on the drive and has since been turned off. This means the drive has been decrypted, and the data is no longer protected by BitLocker.
3. Protection is Suspended: If BitLocker protection was suspended (for example, during system maintenance or Windows updates), it temporarily stores the decryption key in the system, allowing access to data without needing a PIN or recovery key. However, this is a temporary state, and BitLocker can be re-enabled.

Regardless of the likely cause of error. In this state, the data on the drive is vulnerable to unauthorized access. To re-enable BitLocker protection, would need to troubleshoot and fix the root issue before enabling BitLocker as needed or via a third party agent such as MBAM.

Please see How to Disable device encryption on Windows, how to Prevent OS Reinstallation: Change from legacy BIOS to UEFI, and how to Prevent Local Administrators from managing BitLocker with the manage-bde command.

Missing UEFI/BIOS Updates

Because there are numerous reasons, you have to troubleshoot to determine the root issue. Thankfully, you can search through my blog for MBAM or BitLocker archives in order to view more solutions or troubleshooting tips.

In my environment, I have been able to determine that the MBAM Agent could not enable BitLocker on to the PC because it was missing some critical UEFI updates.

This is because, BitLocker relies on the system’s Trusted Platform Module (TPM), which is closely integrated with BIOS or UEFI firmware. Below are some points to make you understand better.

• BitLocker requires the TPM to store encryption keys securely. If the BIOS/UEFI firmware is outdated, it may lack the latest TPM features or security standards, leading to compatibility issues.
• Older BIOS or UEFI versions may have security flaws that prevent BitLocker from ensuring a fully secure encryption process. Updates often patch vulnerabilities that could otherwise expose encryption keys or allow unauthorized access.

Please see Modern Standby: PC is automatically encrypted, and Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery request.

Apply UEFI Updates

Note: When a device is protected by BitLocker, you can run the dell command updates and this will suspend BitLocker. But since we do not have encryption enabled in the first place. Also, in a referenced link above, when Windows updates are been applied, BitLocker is automatically suspend. BUT, when you manually apply BIOS/UEFI updates, you MUST manually suspend BitLocker else, you will be prompted with the “BitLocker Recovery Mode“

Since we have learned that firmware updates improve overall system stability and can fix issues with the TPM module. If the TPM isn’t functioning correctly due to outdated firmware, BitLocker won’t proceed with encryption.

Therefore, in this session, we shall discuss the fix view direct update and via the DELL Command Update. Launch the DELL Command update and click on when when the wizard opens up.

This will start checking for available updates as shown below.

As you can see, there are critical and recommended updates found. Please select and install. You can also click to have your PC restarted automatically.

Updates are being downloaded and will be installed very shortly.

As you can see above, I did not select to have the device restarted automatically. Therefore, I am being prompted.

Device is currently being rebooted

Note: BitLocker requires Secure Boot (enabled in UEFI) to validate system integrity at startup. If the UEFI firmware does not support or properly configure Secure Boot, BitLocker encryption will also fail. Therefore, double check these settings below.

Since I am using MBAM to manage BitLocker, I will have to reapply GPO/Force on the device. The encryption would begin very shortly.

FAQs

I hope you found the article on “BitLocker Protection off: Update UEFI/BIOS to fix issues” very useful. Please feel free to leave a comment below.