Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM]

Posted on Christian By Christian No Comments on Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM]
Data drive is locked by BitLocker and not OS drive Fastboot Option

Dell Fast Boot is a feature that minimizes the startup time of your system. It does this by bypassing certain POST (Power-On Self-Test) checks during boot. Depending on your Dell system model, you can configure it through the BIOS/UEFI firmware interface. In this article, we shall discuss “Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM]”. Please, see how to fix Unable to find my BitLocker Recovery Key, How to deploy MBAM for BitLocker Administration, and how to “Fix MBAM Client Deployment is only supported on MBAM 2.5 SP1“.

BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive doesn’t unlock using its default unlock mechanism.

Users often encounter issues when certain drives are locked, triggering BitLocker recovery mode unexpectedly. To resolve this irregular BitLocker prompt, ensure the device has the correct BIOS settings configured.

BitLocker recovry mode

You may want to see why is BitLocker unable to encrypt Removable Drives via MBAM. Also, see how to check if Microsoft BitLocker Administration and Monitoring is installed on Windows, and Understanding MBAM compliance state and error status.

BitLocker Recovery Prompt Scenarios

It’s crucial to identify the cause of a device entering BitLocker recovery mode as part of the recovery process and troubleshooting. Performing a root cause analysis helps pinpoint the issue and prevents it from happening again in the future.

This issue is as a result of external factors and not related to BitLocker/MBAM itself. Therefore, I will provide you with some known or common events that cause a device to enter BitLocker recovery mode when starting your Windows PC.

  • Entering the wrong PIN too many times
  • Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM
  • Having the CD or DVD drive before the hard drive in the BIOS boot order (common with virtual machines)
  • Docking or undocking a portable computer
  • Changes to the NTFS partition table on the disk
  • Changes to the boot manager
  • Using PXE boot
  • Turning off, disabling, deactivating, or clearing the TPM (Clearing TPM itself is not longer an issue starting with Windows 10/11 as discussed here: How to clear the TPM via the management console or Windows Defender Center App. Also, see Enable TPM: Determine if TPM is present.
  • TPM self-test failure
  • Upgrading the motherboard to a new one with a new TPM
  • Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade
  • Hiding the TPM from the operating system
  • Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile
  • Moving a BitLocker-protected drive into a new computer
  • On devices with TPM 1.2, changing the BIOS or firmware boot device order

Error “BitLocker Recovery Mode Prompt for Drive D:”

Actually, for this specific error, we have discussed a fix also in this guide “how to fix BitLocker always prompting for Recovery Key“, and Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery request.

Having read the some common BitLocker Recovery Prompts discussed above, you will agree that taking a look at the Windows Event Viewer. You may want to see how to determine why an MBAM-protected device is non-compliant.

From the Enterprise Compliance Reports ‘Query MBAM to display the BitLocker Recovery report” as shown below or Email notifications for MBAM Enterprise and Compliance and Recovery Audit reports. You would notice that the device is non-complaint despite the operating system drive is. You may want to learn about the reporting field here ‘Microsoft BitLocker Administration and Monitoring Report Fields“.

Note: As you can see, TPM settings was not configured to only protect the OS drive. As we can se below, the OS volume is encrypted, but the data drive isn’t. I already know the reason or this as it is not related to TPM, else the OS volume will not be encrypted in the first place. But, I will urge you to verify this in the BIOS once more.

Dell has discussed this topic extensively. As such, please proceed with the recommendations in the next section to fix this issue. You may want to take a look at other solutions from DELL similar to the issue here “BIOS Settings to Allow PXE Boot on Dell Latitude Laptops“.

Non-complaint

Here is also an article on how to Force BitLocker Recovery: Perform BitLocker Recovery via the Self-Service Portal and Helpdesk, and how to install Nextcloud on Mac.

Note: For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Suspending BitLocker leaves the drive fully encrypted, and the administrator can quickly resume BitLocker protection after the planned task is completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.

Fix BitLocker Prompting Recovery Prompt for Data Drive

Note: Before proceed, ensure you have downloaded and installed the latest BIOS update available for your Windows PC. Since I am dealing with DELL specific devices, take a look at these. How to update the BIOS on your Dell system, “BitLocker Protection off: Update UEFI/BIOS to fix issues“, and BitLocker Windows Update Shutdown or Reboot option behavior.

Also, see how to use PowerShell to View and Change BIOS Settings, and Prevent OS Reinstallation: Change from legacy BIOS to UEFI.

You must check the requirements via the BIOS settings. To do this, the device must be restarted and F2 must be pressed during the boot process. Alternatively, the BIOS boot menu can also be called up with F12. Then select the “BIOS Setup” option.

Depending on the model, the “Thorough” option must also be activated in the “Pre-Boot Behavior” area under Fastboot. Otherwise, problems may arise when using docking stations.

DELL BIOS THOROUGH SETTINGS

Upon ensuring that the right BIOS settings are in place, BIOS/UEFI updates applied, and the device policy reapplied. You can see from he Computer Compliance Report that the device is complaint again as shown below.

Device is now complaint

FAQs

Why is my device not encrypting even though MBAM policies are applied?

If a device was manually encrypted or decrypted, the MBAM agent may incorrectly assume the drive is already compliant. As a result, the agent will not trigger a new encryption process.

How can I force re-encryption on a device with MBAM?

The most reliable method is to uninstall and reinstall the MBAM agent. Reinstallation resets the agent’s state, and upon the next policy refresh, MBAM will enforce encryption according to the configured policies. This actually depends on if you have manually decrypted and enabled BitLocker despite having the agent installed.

What happens after I reinstall the MBAM agent?

Once reinstalled, the MBAM agent checks the device’s encryption status. If the drive is not fully encrypted, the agent automatically initiates encryption based on the applied MBAM policies.

I hope you found this article very useful on “Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM]”. Please feel free to leave a comment below.

5/5 - (1 vote)
Windows Tags:, , ,

Related Posts

More Related Articles

jhgfx How to make Cortana use your default web browser such as Google Chrome Windows
win 10 login screen Import a user profile in Windows to another PC Windows
Featured image TeamsGif. How to fix Microsoft Teams GIFs or Images not working Windows
Feature Image How to Enable and Disable WMI Traffic through Windows CMD Windows
windows update 03 Check if Windows Updates were installed via the Registry Editor Windows
Security updated something did not go well as planned Something did not go well as planned: Windows Security update fails to install Windows

Leave a Reply