This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device is not encrypted: BitLocker Hardware Test has failed on the computer

We're seeing that issue on several new computers. I cannot find information about the error "BitLocker Hardware Test has failed on the computer". Is this a known issue?

HP EliteBook 640, Intel 13th Gen.

These errors are logged every day in Central for these computers:

Mar 5, 2024 7:02 AM     Device is not encrypted.
Mar 5, 2024 7:02 AM    A BitLocker recovery key has been received from: COMPUTERNAME.
...
Jan 30, 2024 6:32 PM    Device Encryption failed on volume with id: BD886FBE-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxx. Reason: BitLocker Hardware Test has failed on the computer.

This thread was automatically locked due to age.

0 Qoosh over 2 years ago

Hi LHerzog,

Thanks for reaching out to us.

I was only able to find limited information on the BitLocker Hardware Test
BitLocker uses a hardware test as a dry run to make sure that all the key protectors are correctly set up and that the computer can start without issues.

Regarding your issue, I'd suggest checking "C:\ProgramData\Sophos\Sophos Data Protection\Logs\cde.log" to see if any additional information from the hardware test results is shown.

In a couple of cases I found that if the BIOS on the system is in Legacy mode, this can cause the issue you're experiencing. The details on the following page may be of some help: Device Encryption system compatibility

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids

0 LHerzog over 2 years ago in reply to Qoosh

Hi & thanks for the hints. They helf for the beginning.

At least one machine was encrypted successfully after reinstalling Sophos EP.

An other machine was encrypting after we just started encryption in Windows Bitlocker settings manually. Not something we want do do regularly.

We're trying to rule out some BIOS versions and Secure Boot Settings now. And of course checking the cde log.

0 LHerzog over 2 years ago in reply to LHerzog

2024-02-22 15:01:35,565Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-02-22 15:01:36,076Z: [INFO] TPM is ready for use.
2024-02-22 15:01:36,170Z: [INFO] Volume C: is recoverable.
2024-02-22 15:01:36,233Z: [INFO] Encrypting boot volume after hardware test, encryption type Full
2024-02-22 15:01:36,346Z: [INFO] Hardware test and encryption already pending. Waiting for reboot.
2024-02-22 15:01:36,360Z: [INFO] No reboot will be triggered for this unattended protector installation. Encryption will begin after the computer was rebooted manually.
2024-02-22 15:01:36,425Z: [INFO] Boot volume is not encrypted - do not encrypt non-boot volumes.
2024-02-22 15:01:37,249Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-02-22 15:01:38,789Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-02-22 15:04:53,435Z: [INFO] Stopping the Sophos Device Encryption Service.
2024-02-22 15:04:53,579Z: [WARN] Cannot remove Sophos recovery protectors from volume C: because of -2147023170. (Error code: 0x800706BE)
2024-02-22 15:04:55,499Z: [INFO] Stopped the Sophos Device Encryption Service.
2024-02-23 06:15:18,835Z: [INFO] Registry View set to Registry32
2024-02-23 06:15:18,941Z: [INFO] Configured service as stoppable: ok
2024-02-23 06:15:18,957Z: [INFO] Starting the Sophos Device Encryption Service (Version: 2.6.189.0)
2024-02-23 06:15:18,957Z: [INFO] Device Encryption's custom pre-boot screen recovery message is not set. No need to update message text.
2024-02-23 06:15:18,957Z: [INFO] Started the Sophos Device Encryption Service.
...
2024-03-04 15:33:53,167Z: [INFO] Stopping the Sophos Device Encryption Service.
2024-03-04 15:33:54,418Z: [INFO] Stopped the Sophos Device Encryption Service.
2024-03-05 06:02:03,432Z: [INFO] Registry View set to Registry32
2024-03-05 06:02:03,923Z: [INFO] Configured service as stoppable: ok
2024-03-05 06:02:03,939Z: [INFO] Starting the Sophos Device Encryption Service (Version: 2.7.74.0)
2024-03-05 06:02:03,939Z: [INFO] Device Encryption's custom pre-boot screen recovery message is not set. No need to update message text.
2024-03-05 06:02:03,939Z: [INFO] Started the Sophos Device Encryption Service.
2024-03-05 06:02:07,351Z: [WARN] Cannot listen for configuration changes in the registry. The sub key 'SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\Sophos Device Encryption Service' was not found.
2024-03-05 06:02:07,368Z: [INFO] Successfully disabled the Tamper Protection for the service 'Sophos Device Encryption Service'.
2024-03-05 06:02:07,383Z: [INFO] Sophos Device Encryption Service fully initialized.
2024-03-05 06:02:07,432Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-05 06:02:07,525Z: [INFO] TPM is ready for use.
2024-03-05 06:02:07,794Z: [INFO] Install new recovery protector on volume C:.
2024-03-05 06:02:08,982Z: [INFO] Make recoverable is pending for volume C:.
2024-03-05 06:02:08,998Z: [INFO] Sending key-transfer event to Central - recovery key '22e60190-15df-4d3d-b151-f1384678998e' on volume '\\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\'.
2024-03-05 06:02:10,089Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-05 06:02:10,596Z: [INFO] Delete storage entry a6fec7ed-4784-4d75-bcf9-a512a4f4e898 found only in store and not on volume C:
2024-03-05 06:02:10,675Z: [INFO] Recovery key '22e60190-15df-4d3d-b151-f1384678998e' on volume '\\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\' was stored in Central - status: Stored.
2024-03-05 06:02:11,251Z: [INFO] Volume encryption status changed for volume \\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\: MountPoint: C: --> C:. VolumeLabel: System --> System. FileSystem: NTFS --> NTFS. IsBootVolume: True --> True. EncryptionState: Plain --> Plain. EncryptedSince: 01.01.0001 00:00:00 --> 01.01.0001 00:00:00. EncryptionMethod: EncryptionMethodFromGpoValue --> EncryptionMethodFromGpoValue. SuspensionStatus: NotSuspended --> NotSuspended. AuthenticationType: TpmOnly --> NoAuthentication.
2024-03-05 06:02:11,829Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-03-05 06:02:12,415Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-05 06:02:12,477Z: [INFO] TPM is ready for use.
2024-03-05 06:02:12,572Z: [INFO] Volume C: is recoverable.
2024-03-05 06:02:12,603Z: [INFO] Installing TPM-only protector without user interaction.
2024-03-05 06:02:13,394Z: [INFO] Encrypting boot volume after hardware test, encryption type Full
2024-03-05 06:02:13,504Z: [INFO] Hardware test and encryption already pending. Waiting for reboot.
2024-03-05 06:02:13,504Z: [INFO] No reboot will be triggered for this unattended protector installation. Encryption will begin after the computer was rebooted manually.
2024-03-05 06:02:13,583Z: [INFO] Boot volume is not encrypted - do not encrypt non-boot volumes.
2024-03-05 06:02:14,537Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-05 06:02:15,497Z: [INFO] Volume encryption status changed for volume \\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\: MountPoint: C: --> C:. VolumeLabel: System --> System. FileSystem: NTFS --> NTFS. IsBootVolume: True --> True. EncryptionState: Plain --> Plain. EncryptedSince: 01.01.0001 00:00:00 --> 01.01.0001 00:00:00. EncryptionMethod: EncryptionMethodFromGpoValue --> EncryptionMethodFromGpoValue. SuspensionStatus: NotSuspended --> NotSuspended. AuthenticationType: NoAuthentication --> TpmOnly.
2024-03-05 06:02:16,100Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-03-05 06:02:16,363Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-05 06:02:16,418Z: [INFO] TPM is ready for use.
2024-03-05 06:02:16,511Z: [INFO] Volume C: is recoverable.
2024-03-05 06:02:16,576Z: [INFO] Encrypting boot volume after hardware test, encryption type Full
2024-03-05 06:02:16,671Z: [INFO] Hardware test and encryption already pending. Waiting for reboot.
2024-03-05 06:02:16,671Z: [INFO] No reboot will be triggered for this unattended protector installation. Encryption will begin after the computer was rebooted manually.
2024-03-05 06:02:16,734Z: [INFO] Boot volume is not encrypted - do not encrypt non-boot volumes.
2024-03-05 06:02:17,697Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-05 06:02:19,232Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-03-05 07:02:05,488Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-05 07:02:05,714Z: [INFO] TPM is ready for use.
2024-03-05 07:02:05,791Z: [INFO] Volume C: is recoverable.
Reboot
2024-03-05 15:06:40,369Z: [INFO] Stopping the Sophos Device Encryption Service.
2024-03-05 15:06:42,450Z: [INFO] Stopped the Sophos Device Encryption Service.
2024-03-06 05:54:14,661Z: [INFO] Registry View set to Registry32
2024-03-06 05:54:14,849Z: [INFO] Configured service as stoppable: ok
2024-03-06 05:54:14,849Z: [INFO] Starting the Sophos Device Encryption Service (Version: 2.7.74.0)
2024-03-06 05:54:14,864Z: [INFO] Device Encryption's custom pre-boot screen recovery message is not set. No need to update message text.
2024-03-06 05:54:14,864Z: [INFO] Started the Sophos Device Encryption Service.
2024-03-06 05:54:18,099Z: [WARN] Cannot listen for configuration changes in the registry. The sub key 'SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\Sophos Device Encryption Service' was not found.
2024-03-06 05:54:18,114Z: [INFO] Successfully disabled the Tamper Protection for the service 'Sophos Device Encryption Service'.
2024-03-06 05:54:18,114Z: [INFO] Sophos Device Encryption Service fully initialized.
2024-03-06 05:54:18,181Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-06 05:54:18,288Z: [INFO] TPM is ready for use.
2024-03-06 05:54:18,540Z: [INFO] Install new recovery protector on volume C:.
2024-03-06 05:54:19,566Z: [INFO] Make recoverable is pending for volume C:.
2024-03-06 05:54:19,596Z: [INFO] Sending key-transfer event to Central - recovery key 'fcc7ad97-c90e-4cad-a4ff-ebd0b6d7051b' on volume '\\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\'.
2024-03-06 05:54:20,469Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-06 05:54:20,920Z: [INFO] Delete storage entry 22e60190-15df-4d3d-b151-f1384678998e found only in store and not on volume C:
2024-03-06 05:54:21,267Z: [INFO] Recovery key 'fcc7ad97-c90e-4cad-a4ff-ebd0b6d7051b' on volume '\\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\' was stored in Central - status: Stored.
2024-03-06 05:54:21,431Z: [INFO] Volume encryption status changed for volume \\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\: MountPoint: C: --> C:. VolumeLabel: System --> System. FileSystem: NTFS --> NTFS. IsBootVolume: True --> True. EncryptionState: Plain --> Plain. EncryptedSince: 01.01.0001 00:00:00 --> 01.01.0001 00:00:00. EncryptionMethod: EncryptionMethodFromGpoValue --> EncryptionMethodFromGpoValue. SuspensionStatus: NotSuspended --> NotSuspended. AuthenticationType: TpmOnly --> NoAuthentication.
2024-03-06 05:54:22,020Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-03-06 05:54:22,564Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-06 05:54:22,609Z: [INFO] TPM is ready for use.
2024-03-06 05:54:22,685Z: [INFO] Volume C: is recoverable.
2024-03-06 05:54:22,715Z: [INFO] Installing TPM-only protector without user interaction.
2024-03-06 05:54:23,723Z: [INFO] Encrypting boot volume after hardware test, encryption type Full
2024-03-06 05:54:23,819Z: [INFO] Hardware test and encryption already pending. Waiting for reboot.
2024-03-06 05:54:23,823Z: [INFO] No reboot will be triggered for this unattended protector installation. Encryption will begin after the computer was rebooted manually.
2024-03-06 05:54:23,882Z: [INFO] Boot volume is not encrypted - do not encrypt non-boot volumes.
2024-03-06 05:54:24,793Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-06 05:54:25,590Z: [INFO] Volume encryption status changed for volume \\?\Volume{bd886fbe-1388-4b40-b266-6f11e54b76d3}\: MountPoint: C: --> C:. VolumeLabel: System --> System. FileSystem: NTFS --> NTFS. IsBootVolume: True --> True. EncryptionState: Plain --> Plain. EncryptedSince: 01.01.0001 00:00:00 --> 01.01.0001 00:00:00. EncryptionMethod: EncryptionMethodFromGpoValue --> EncryptionMethodFromGpoValue. SuspensionStatus: NotSuspended --> NotSuspended. AuthenticationType: NoAuthentication --> TpmOnly.
2024-03-06 05:54:26,252Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-03-06 05:54:26,538Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-06 05:54:26,604Z: [INFO] TPM is ready for use.
2024-03-06 05:54:26,690Z: [INFO] Volume C: is recoverable.
2024-03-06 05:54:26,812Z: [INFO] Encrypting boot volume after hardware test, encryption type Full
2024-03-06 05:54:27,021Z: [INFO] Hardware test and encryption already pending. Waiting for reboot.
2024-03-06 05:54:27,025Z: [INFO] No reboot will be triggered for this unattended protector installation. Encryption will begin after the computer was rebooted manually.
2024-03-06 05:54:27,092Z: [INFO] Boot volume is not encrypted - do not encrypt non-boot volumes.
2024-03-06 05:54:28,218Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-06 05:54:29,685Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-03-06 06:54:15,725Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-06 06:54:15,961Z: [INFO] TPM is ready for use.
2024-03-06 06:54:16,055Z: [INFO] Volume C: is recoverable.
2024-03-06 06:54:16,118Z: [INFO] Encrypting boot volume after hardware test, encryption type Full
2024-03-06 06:54:16,244Z: [INFO] Hardware test and encryption already pending. Waiting for reboot.
2024-03-06 06:54:16,244Z: [INFO] No reboot will be triggered for this unattended protector installation. Encryption will begin after the computer was rebooted manually.
2024-03-06 06:54:16,309Z: [INFO] Boot volume is not encrypted - do not encrypt non-boot volumes.
2024-03-06 06:54:17,297Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-06 06:54:18,968Z: [INFO] Successfully updated the Device Encryption status information in registry.
2024-03-06 07:15:04,773Z: [INFO] Boot volume is prepared and plain and we need to encrypt it.
2024-03-06 07:15:05,421Z: [INFO] TPM is ready for use.
2024-03-06 07:15:05,553Z: [INFO] Volume C: is recoverable.
2024-03-06 07:15:05,624Z: [INFO] Encrypting boot volume after hardware test, encryption type Full
2024-03-06 07:15:05,751Z: [INFO] Hardware test and encryption already pending. Waiting for reboot.
2024-03-06 07:15:05,755Z: [INFO] No reboot will be triggered for this unattended protector installation. Encryption will begin after the computer was rebooted manually.
2024-03-06 07:15:05,828Z: [INFO] Boot volume is not encrypted - do not encrypt non-boot volumes.
2024-03-06 07:15:06,806Z: [INFO] Boot volume is not encrypted - cannot install auto-unlock protectors on non-boot volumes.
2024-03-06 07:15:08,517Z: [INFO] Successfully updated the Device Encryption status information in registry.