COM Error Codes (TPM, PLA, FVE)
The following table provides a list of error codes used by COM-based APIs.
If you are experiencing difficulty with an application you are installing or running, contact customer support for the software that is displaying the error message. To obtain support for a Microsoft product, go to https://support.microsoft.com.
| Constant/value | Description |
|---|---|
|
This is an error mask to convert TPM hardware errors to win errors. |
|
Authentication failed. |
|
The index to a PCR, DIR or other register is incorrect. |
|
One or more parameter is bad. |
|
An operation completed successfully but the auditing of that operation failed. |
|
The clear disable flag is set and all clear operations now require physical access. |
|
Activate the Trusted Platform Module (TPM). |
|
Enable the Trusted Platform Module (TPM). |
|
The target command has been disabled. |
|
The operation failed. |
|
The ordinal was unknown or inconsistent. |
|
The ability to install an owner is disabled. |
|
The key handle cannot be interpreted. |
|
The key handle points to an invalid key. |
|
Unacceptable encryption scheme. |
|
Migration authorization failed. |
|
PCR information could not be interpreted. |
|
No room to load key. |
|
There is no Storage Root Key (SRK) set. |
|
An encrypted blob is invalid or was not created by this TPM. |
|
The Trusted Platform Module (TPM) already has an owner. |
|
The TPM has insufficient internal resources to perform the requested action. |
|
A random string was too short. |
|
The TPM does not have the space to perform the operation. |
|
The named PCR value does not match the current PCR value. |
|
The paramSize argument to the command has the incorrect value . |
|
There is no existing SHA-1 thread. |
|
The calculation is unable to proceed because the existing SHA-1 thread has already encountered an error. |
|
The TPM hardware device reported a failure during its internal self test. Try restarting the computer to resolve the problem. If the problem continues, you might need to replace your TPM hardware or motherboard. |
|
The authorization for the second key in a 2 key function failed authorization. |
|
The tag value sent to for a command is invalid. |
|
An IO error occurred transmitting information to the TPM. |
|
The encryption process had a problem. |
|
The decryption process did not complete. |
|
An invalid handle was used. |
|
The TPM does not have an Endorsement Key (EK) installed. |
|
The usage of a key is not allowed. |
|
The submitted entity type is not allowed. |
|
The command was received in the wrong sequence relative to TPM_Init and a subsequent TPM_Startup. |
|
Signed data cannot include additional DER information. |
|
The key properties in TPM_KEY_PARMs are not supported by this TPM. |
|
The migration properties of this key are incorrect. |
|
The signature or encryption scheme for this key is incorrect or not permitted in this situation. |
|
The size of the data (or blob) parameter is bad or inconsistent with the referenced key. |
|
A mode parameter is bad, such as capArea or subCapArea for TPM_GetCapability, phsicalPresence parameter for TPM_PhysicalPresence, or migrationType for TPM_CreateMigrationBlob. |
|
Either the physicalPresence or physicalPresenceLock bits have the wrong value. |
|
The TPM cannot perform this version of the capability. |
|
The TPM does not allow for wrapped transport sessions. |
|
TPM audit construction failed and the underlying command was returning a failure code also. |
|
TPM audit construction failed and the underlying command was returning success. |
|
Attempt to reset a PCR register that does not have the resettable attribute. |
|
Attempt to reset a PCR register that requires locality and locality modifier not part of command transport. |
|
Make identity blob not properly typed. |
|
When saving context identified resource type does not match actual resource. |
|
The TPM is attempting to execute a command only available when in FIPS mode. |
|
The command is attempting to use an invalid family ID. |
|
The permission to manipulate the NV storage is not available. |
|
The operation requires a signed command. |
|
Wrong operation to load an NV key. |
|
NV_LoadKey blob requires both owner and blob authorization. |
|
The NV area is locked and not writtable. |
|
The locality is incorrect for the attempted operation. |
|
The NV area is read only and can't be written to. |
|
There is no protection on the write to the NV area. |
|
The family count value does not match. |
|
The NV area has already been written to. |
|
The NV area attributes conflict. |
|
The structure tag and version are invalid or inconsistent. |
|
The key is under control of the TPM Owner and can only be evicted by the TPM Owner. |
|
The counter handle is incorrect. |
|
The write is not a complete write of the area. |
|
The gap between saved context counts is too large. |
|
The maximum number of NV writes without an owner has been exceeded. |
|
No operator AuthData value is set. |
|
The resource pointed to by context is not loaded. |
|
The delegate administration is locked. |
|
Attempt to manage a family other than the delegated family. |
|
Delegation table management not enabled. |
|
There was a command executed outside of an exclusive transport session. |
|
Attempt to context save a owner evict controlled key. |
|
The DAA command has no resources availble to execute the command. |
|
The consistency check on DAA parameter inputData0 has failed. |
|
The consistency check on DAA parameter inputData1 has failed. |
|
The consistency check on DAA_issuerSettings has failed. |
|
The consistency check on DAA_tpmSpecific has failed. |
|
The atomic process indicated by the submitted DAA command is not the expected process. |
|
The issuer's validity check has detected an inconsistency. |
|
The consistency check on w has failed. |
|
The handle is incorrect. |
|
Delegation is not correct. |
|
The context blob is invalid. |
|
Too many contexts held by the TPM. |
|
Migration authority signature validation failure. |
|
Migration destination not authenticated. |
|
Migration source incorrect. |
|
Incorrect migration authority. |
|
Attempt to revoke the EK and the EK is not revocable. |
|
Bad signature of CMK ticket. |
|
There is no room in the context list for additional contexts. |
|
The command was blocked. |
|
The specified handle was not found. |
|
The TPM returned a duplicate handle and the command needs to be resubmitted. |
|
The command within the transport was blocked. |
|
The command within the transport is not supported. |
|
The TPM is too busy to respond to the command immediately, but the command could be resubmitted at a later time. |
|
SelfTestFull has not been run. |
|
The TPM is currently executing a full selftest. |
|
The TPM is defending against dictionary attacks and is in a time-out period. |
|
TPM 2.0: Inconsistent attributes. |
|
TPM 2.0: Hash algorithm not supported or not appropriate. |
|
TPM 2.0: Value is out of range or is not correct for the context. |
|
TPM 2.0: Hierarchy is not enabled or is not correct for the use. |
|
TPM 2.0: Key size is not supported. |
|
TPM 2.0: Mask generation function not supported. |
|
TPM 2.0: Mode of operation not supported. |
|
TPM 2.0: The type of the value is not appropriate for the use. |
|
TPM 2.0: The Handle is not correct for the use. |
|
TPM 2.0: Unsupported key derivation function or function not appropriate for use. |
|
TPM 2.0: Value was out of allowed range. |
|
TPM 2.0: The authorization HMAC check failed and DA counter incremented. |
|
TPM 2.0: Invalid nonce size. |
|
TPM 2.0: Unsupported or incompatible scheme. |
|
TPM 2.0: Structure is wrong size.. |
TPM_20_E_SYMMETRIC
|
TPM 2.0: Unsupported symmetric algorithm or key size, or not appropriate for instance. |
|
TPM 2.0: Incorrect structure tag. |
|
TPM 2.0: Union selector is incorrect. |
|
TPM 2.0: The TPM was unable to unmarshal a value because there were not enough octets in the input buffer. |
|
TPM 2.0: The signature is not valid. |
|
TPM 2.0: Key fields are not compatible with the selected use. |
|
TPM 2.0: A policy check failed. |
|
TPM 2.0: Integrity check failed. |
|
TPM 2.0: Invalid ticket. |
|
TPM 2.0: Reserved bits not set to zero as required. |
|
TPM 2.0: Authorization failure without DA implications. |
|
TPM 2.0: The policy has expired. |
|
TPM 2.0: The command code in the policy is not the command code of the command or the command code in a policy command references a command that is not implemented. |
|
TPM 2.0: Public and sensitive portions of an object are not cryptographically bound. |
|
TPM 2.0: Curve not supported. |
|
TPM 2.0: Point is not on the required curve. |
|
TPM 2.0: TPM not initialized. |
|
TPM 2.0: Commands not being accepted because of a TPM failure. |
|
TPM 2.0: Improper use of a sequence handle. |
|
TPM 2.0: TPM_RC_PRIVATE error. |
|
TPM 2.0: TPM_RC_HMAC. |
|
TPM 2.0: TPM_RC_DISABLED. |
|
TPM 2.0: Command failed because audit sequence required exclusivity. |
|
TPM 2.0: Unsupported ECC curve. |
|
TPM 2.0: Authorization handle is not correct for command. |
|
TPM 2.0: Command requires an authorization session for handle and is not present. |
|
TPM 2.0: Policy failure in Math Operation or an invalid authPolicy value. |
|
TPM 2.0: PCR check fail. |
|
TPM 2.0: PCR have changed since checked. |
|
TPM 2.0: The TPM is not in the right mode for upgrade. |
|
TPM 2.0: Context ID counter is at maximum. |
|
TPM 2.0: authValue or authPolicy is not available for selected entity. |
|
TPM 2.0: A _TPM_Init and Startup(CLEAR) is required before the TPM can resume operation. |
|
TPM 2.0: The protection algorithms (hash and symmetric) are not reasonably balanced. The digest size of the hash must be larger than the key size of the symmetric algorithm. |
|
TPM 2.0: The TPM command's commandSize value is inconsistent with contents of the command buffer; either the size is not the same as the bytes loaded by the hardware interface layer or the value is not large enough to hold a command header. |
|
TPM 2.0: Command code not supported. |
|
TPM 2.0: The value of authorizationSize is out of range or the number of octets in the authorization Area is greater than required. |
|
TPM 2.0: Use of an authorization session with a context command or another command that cannot have an authorization session. |
|
TPM 2.0: NV offset+size is out of range. |
|
TPM 2.0: Requested allocation size is larger than allowed. |
|
TPM 2.0: NV access locked. |
|
TPM 2.0: NV access authorization fails in command actions |
|
TPM 2.0: An NV index is used before being initialized or the state saved by TPM2_Shutdown(STATE) could not be restored. |
|
TPM 2.0: Insufficient space for NV allocation. |
|
TPM 2.0: NV index or persistent object already defined. |
|
TPM 2.0: Context in TPM2_ContextLoad() is not valid. |
|
TPM 2.0: chHash value already set or not correct for use. |
|
TPM 2.0: Handle for parent is not a valid parent. |
|
TPM 2.0: Some function needs testing. |
|
TPM 2.0: returned when an internal function cannot process a request due to an unspecified problem. This code is usually related to invalid parameters that are not properly filtered by the input unmarshaling code. |
|
TPM 2.0: The sensitive area did not unmarshal correctly after decryption - this code is used in lieu of the other unmarshaling errors so that an attacker cannot determine where the unmarshaling error occurred. |
|
TPM 2.0: Gap for context ID is too large. |
|
TPM 2.0: Out of memory for object contexts. |
|
TPM 2.0: Out of memory for session contexts. |
|
TPM 2.0: Out of shared object/session memory or need space for internal operations. |
|
TPM 2.0: Out of session handles - a session must be flushed before a new session may be created. |
|
TPM 2.0: Out of object handles - the handle space for objects is depleted and a reboot is required. |
|
TPM 2.0: Bad locality. |
|
TPM 2.0: The TPM has suspended operation on the command; forward progress was made and the command may be retried. |
|
TPM 2.0: The command was canceled. |
|
TPM 2.0: TPM is performing self-tests. |
|
TPM 2.0: The TPM is rate-limiting accesses to prevent wearout of NV. |
|
TPM 2.0: Authorization for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode. |
|
TPM 2.0: The TPM was not able to start the command. |
|
TPM 2.0: the command may require writing of NV and NV is not current accessible.. |
|
An internal software error has been detected. |
|
One or more input parameters is bad. |
|
A specified output pointer is bad. |
|
The specified context handle does not refer to a valid context. |
|
A specified output buffer is too small. |
|
An error occurred while communicating with the TPM. |
|
One or more context parameters is invalid. |
|
The TBS service is not running and could not be started. |
|
A new context could not be created because there are too many open contexts. |
|
A new virtual resource could not be created because there are too many open virtual resources. |
|
The TBS service has been started but is not yet running. |
|
The physical presence interface is not supported. |
|
The command was canceled. |
|
The input or output buffer is too large. |
|
A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer. |
|
The TBS service has been disabled. |
|
No TCG event log is available. |
|
The caller does not have the appropriate rights to perform the requested operation. |
|
The TPM provisioning action is not allowed by the specified flags. For provisioning to be successful, one of several actions may be required. The TPM management console (tpm.msc) action to make the TPM Ready may help. For further information, see the documentation for the Win32_Tpm WMI method 'Provision'. (The actions that may be required include importing the TPM Owner Authorization value into the system, calling the Win32_Tpm WMI method for provisioning the TPM and specifying TRUE for either 'ForceClear_Allowed' or 'PhysicalPresencePrompts_Allowed' (as indicated by the value returned in the Additional Information), or enabling the TPM in the system BIOS.) |
|
The Physical Presence Interface of this firmware does not support the requested method. |
|
The requested TPM OwnerAuth value was not found. |
|
The TPM provisioning did not complete. For more information on completing the provisioning, call the Win32_Tpm WMI method for provisioning the TPM ('Provision') and check the returned Information. |
|
The command buffer is not in the correct state. |
|
The command buffer does not contain enough data to satisfy the request. |
|
The command buffer cannot contain any more data. |
|
One or more output parameters was NULL or invalid. |
|
One or more input parameters is invalid. |
|
Not enough memory was available to satisfy the request. |
|
The specified buffer was too small. |
|
An internal error was detected. |
|
The caller does not have the appropriate rights to perform the requested operation. |
|
The specified authorization information was invalid. |
|
The specified context handle was not valid. |
|
An error occurred while communicating with the TBS. |
|
The TPM returned an unexpected result. |
|
The message was too large for the encoding scheme. |
|
The encoding in the blob was not recognized. |
|
The key size is not valid. |
|
The encryption operation failed. |
|
The key parameters structure was not valid |
|
The requested supplied data does not appear to be a valid migration authorization blob. |
|
The specified PCR index was invalid |
|
The data given does not appear to be a valid delegate blob. |
|
One or more of the specified context parameters was not valid. |
|
The data given does not appear to be a valid key blob |
|
The specified PCR data was invalid. |
|
The format of the owner auth data was invalid. |
|
The random number generated did not pass FIPS RNG check. |
|
The TCG Event Log does not contain any data. |
|
An entry in the TCG Event Log was invalid. |
|
A TCG Separator was not found. |
|
A digest value in a TCG Log entry did not match hashed data. |
|
The requested operation was blocked by current TPM policy. Please contact your system administrator for assistance. |
|
The specified buffer was too small. |
|
The context could not be cleaned up. |
|
The specified context handle is invalid. |
|
An invalid context parameter was specified. |
|
An error occurred while communicating with the TPM |
|
No entry with the specified key was found. |
|
The specified virtual handle matches a virtual handle already in use. |
|
The pointer to the returned handle location was NULL or invalid |
|
One or more parameters is invalid |
|
The RPC subsystem could not be initialized. |
|
The TBS scheduler is not running. |
|
The command was canceled. |
|
There was not enough memory to fulfill the request |
|
The specified list is empty, or the iteration has reached the end of the list. |
|
The specified item was not found in the list. |
|
The TPM does not have enough space to load the requested resource. |
|
There are too many TPM contexts in use. |
|
The TPM command failed. |
|
The TBS does not recognize the specified ordinal. |
|
The requested resource is no longer available. |
|
The resource type did not match. |
|
No resources can be unloaded. |
|
No new entries can be added to the hash table. |
|
A new TBS context could not be created because there are too many open contexts. |
|
A new virtual resource could not be created because there are too many open virtual resources. |
|
The physical presence interface is not supported. |
|
TBS is not compatible with the version of TPM found on the system. |
|
No TCG event log is available. |
|
A general error was detected when attempting to acquire the BIOS's response to a Physical Presence command. |
|
The user failed to confirm the TPM operation request. |
|
The BIOS failure prevented the successful execution of the requested TPM operation (e.g. invalid TPM operation request, BIOS communication error with the TPM). |
|
The BIOS does not support the physical presence interface. |
|
The Physical Presence command was blocked by current BIOS settings. The system owner may be able to reconfigure the BIOS settings to allow the command. |
|
This is an error mask to convert Platform Crypto Provider errors to win errors. |
|
The Platform Crypto Device is currently not ready. It needs to be fully provisioned to be operational. |
|
The handle provided to the Platform Crypto Provider is invalid. |
|
A parameter provided to the Platform Crypto Provider is invalid. |
|
A provided flag to the Platform Crypto Provider is not supported. |
|
The requested operation is not supported by this Platform Crypto Provider. |
|
The buffer is too small to contain all data. No information has been written to the buffer. |
|
An unexpected internal error has occurred in the Platform Crypto Provider. |
|
The authorization to use a provider object has failed. |
|
The Platform Crypto Device has ignored the authorization for the provider object, to mitigate against a dictionary attack. |
|
The referenced policy was not found. |
|
The referenced profile was not found. |
|
The validation was not successful. |
|
An attempt was made to import or load a key under an incorrect storage parent. |
|
The TPM key is not loaded. |
|
The TPM key certification has not been generated. |
|
The TPM key is not yet finalized. |
|
The TPM attestation challenge is not set. |
|
The TPM PCR info is not available. |
|
The TPM key is already finalized. |
|
The TPM key usage policy is not supported. |
|
The TPM key usage policy is invalid. |
|
There was a problem with the software key being imported into the TPM. |
|
The TPM key is not authenticated. |
|
The TPM key is not an AIK. |
|
The TPM key is not a signing key. |
|
The TPM is locked out. |
|
The claim type requested is not supported. |
|
TPM version is not supported. |
|
The buffer lengths do not match. |
|
The RSA key creation is blocked on this TPM due to known security vulnerabilities. |
|
A ticket required to use a key was not provided. |
|
This key has a raw policy so the KSP can't authenticate against it. |
|
The TPM key's handle was unexpectedly invalidated due to a hardware or firmware issue. |
|
The requested salt size for signing with RSAPSS does not match what the TPM uses. |
|
Validation of the platform claim failed. |
|
The requested platform claim is for a previous boot. |
|
The platform claim is for a previous boot, and cannot be created without reboot. |
|
TPM related network operations are blocked as Zero Exhaust mode is enabled on client. |
|
TPM provisioning did not run to completion. |
|
An invalid owner authorization value was specified. |
|
TPM command returned too much data. |
|
Data Collector Set was not found. |
|
The Data Collector Set or one of its dependencies is already in use. |
|
Unable to start Data Collector Set because there are too many folders. |
|
Not enough free disk space to start Data Collector Set. |
|
Data Collector Set already exists. |
|
Property value will be ignored. |
|
Property value conflict. |
|
The current configuration for this Data Collector Set requires that it contain exactly one Data Collector. |
|
A user account is required in order to commit the current Data Collector Set properties. |
|
Data Collector Set is not running. |
|
A conflict was detected in the list of include/exclude APIs. Do not specify the same API in both the include list and the exclude list. |
|
The executable path you have specified refers to a network share or UNC path. |
|
The executable path you have specified is already configured for API tracing. |
|
The executable path you have specified does not exist. Verify that the specified path is correct. |
|
Data Collector already exists. |
|
The wait for the Data Collector Set start notification has timed out. |
|
The wait for the Data Collector to start has timed out. |
|
The wait for the report generation tool to finish has timed out. |
|
Duplicate items are not allowed. |
|
When specifying the executable that you want to trace, you must specify a full path to the executable and not just a filename. |
|
The session name provided is invalid. |
|
The Event Log channel Microsoft-Windows-Diagnosis-PLA/Operational must be enabled to perform this operation. |
|
The Event Log channel Microsoft-Windows-TaskScheduler must be enabled to perform this operation. |
|
The execution of the Rules Manager failed. |
|
An error occurred while attempting to compress or extract the data. |
|
This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel. |
|
The drive is not encrypted. |
|
The BIOS did not correctly communicate with the Trusted Platform Module (TPM). Contact the computer manufacturer for BIOS upgrade instructions. |
|
The BIOS did not correctly communicate with the master boot record (MBR). Contact the computer manufacturer for BIOS upgrade instructions. |
|
A required TPM measurement is missing. If there is a bootable CD or DVD in your computer, remove it, restart the computer, and turn on BitLocker again. If the problem persists, ensure the master boot record is up to date. |
|
The boot sector of this drive is not compatible with BitLocker Drive Encryption. Use the Bootrec.exe tool in the Windows Recovery Environment to update or repair the boot manager (BOOTMGR). |
|
The boot manager of this operating system is not compatible with BitLocker Drive Encryption. Use the Bootrec.exe tool in the Windows Recovery Environment to update or repair the boot manager (BOOTMGR). |
|
At least one secure key protector is required for this operation to be performed. |
|
BitLocker Drive Encryption is not enabled on this drive. Turn on BitLocker. |
|
BitLocker Drive Encryption cannot perform requested action. This condition may occur when two requests are issued at the same time. Wait a few moments and then try the action again. |
|
The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed. |
|
The type of the data obtained from Active Directory was not expected. The BitLocker recovery information may be missing or corrupted. |
|
The size of the data obtained from Active Directory was not expected. The BitLocker recovery information may be missing or corrupted. |
|
The attribute read from Active Directory does not contain any values. The BitLocker recovery information may be missing or corrupted. |
|
The attribute was not set. Verify that you are logged on with a domain account that has the ability to write information to Active Directory objects. |
|
The specified attribute cannot be found in Active Directory Domain Services. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed. |
|
The BitLocker metadata for the encrypted drive is not valid. You can attempt to repair the drive to restore access. |
|
The drive cannot be encrypted because it does not have enough free space. Delete any unnecessary data on the drive to create additional free space and then try again. |
|
The drive cannot be encrypted because it contains system boot information. Create a separate partition for use as the system drive that contains the boot information and a second partition for use as the operating system drive and then encrypt the operating system drive. |
|
The drive cannot be encrypted because the file system is not supported. |
|
The file system size is larger than the partition size in the partition table. This drive may be corrupt or may have been tampered with. To use it with BitLocker, you must reformat the partition. |
|
This drive cannot be encrypted. |
|
The data is not valid. |
|
The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically. |
|
You must initialize the Trusted Platform Module (TPM) before you can use BitLocker Drive Encryption. |
|
The operation attempted cannot be performed on an operating system drive. |
|
The buffer supplied to a function was insufficient to contain the returned data. Increase the buffer size before running the function again. |
|
A read operation failed while converting the drive. The drive was not converted. Please re-enable BitLocker. |
|
A write operation failed while converting the drive. The drive was not converted. Please re-enable BitLocker. |
|
One or more BitLocker key protectors are required. You cannot delete the last key on this drive. |
|
Cluster configurations are not supported by BitLocker Drive Encryption. |
|
The drive specified is already configured to be automatically unlocked on the current computer. |
|
The operating system drive is not protected by BitLocker Drive Encryption. |
|
BitLocker Drive Encryption has been suspended on this drive. All BitLocker key protectors configured for this drive are effectively disabled, and the drive will be automatically unlocked using an unencrypted (clear) key. |
|
The drive you are attempting to lock does not have any key protectors available for encryption because BitLocker protection is currently suspended. Re-enable BitLocker to lock this drive. |
|
BitLocker cannot use the Trusted Platform Module (TPM) to protect a data drive. TPM protection can only be used with the operating system drive. |
|
The BitLocker metadata for the encrypted drive cannot be updated because it was locked for updating by another process. Please try this process again. |
|
The authorization data for the storage root key (SRK) of the Trusted Platform Module (TPM) is not zero and is therefore incompatible with BitLocker. Please initialize the TPM before attempting to use it with BitLocker. |
|
The drive encryption algorithm cannot be used on this sector size. |
|
The drive cannot be unlocked with the key provided. Confirm that you have provided the correct key and try again. |
|
The drive specified is not the operating system drive. |
|
BitLocker Drive Encryption cannot be turned off on the operating system drive until the auto unlock feature has been disabled for the fixed data drives and removable data drives associated with this computer. |
|
The system partition boot sector does not perform Trusted Platform Module (TPM) measurements. Use the Bootrec.exe tool in the Windows Recovery Environment to update or repair the boot sector. |
|
BitLocker Drive Encryption operating system drives must be formatted with the NTFS file system in order to be encrypted. Convert the drive to NTFS, and then turn on BitLocker. |
|
Group Policy settings require that a recovery password be specified before encrypting the drive. |
|
The drive encryption algorithm and key cannot be set on a previously encrypted drive. To encrypt this drive with BitLocker Drive Encryption, remove the previous encryption and then turn on BitLocker. |
|
BitLocker Drive Encryption cannot encrypt the specified drive because an encryption key is not available. Add a key protector to encrypt this drive. |
|
BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer. Remove the media and restart the computer before configuring BitLocker. |
|
This key protector cannot be added. Only one key protector of this type is allowed for this drive. |
|
The recovery password file was not found because a relative path was specified. Recovery passwords must be saved to a fully qualified path. Environment variables configured on the computer can be used in the path. |
|
The specified key protector was not found on the drive. Try another key protector. |
|
The recovery key provided is corrupt and cannot be used to access the drive. An alternative recovery method, such as recovery password, a data recovery agent, or a backup version of the recovery key must be used to recover access to the drive. |
|
The format of the recovery password provided is invalid. BitLocker recovery passwords are 48 digits. Verify that the recovery password is in the correct format and then try again. |
|
The random number generator check test failed. |
|
The Group Policy setting requiring FIPS compliance prevents a local recovery password from being generated or used by BitLocker Drive Encryption. When operating in FIPS-compliant mode, BitLocker recovery options can be either a recovery key stored on a USB drive or recovery through a data recovery agent. |
|
The Group Policy setting requiring FIPS compliance prevents the recovery password from being saved to Active Directory. When operating in FIPS-compliant mode, BitLocker recovery options can be either a recovery key stored on a USB drive or recovery through a data recovery agent. Check your Group Policy settings configuration. |
|
The drive must be fully decrypted to complete this operation. |
|
The key protector specified cannot be used for this operation. |
|
No key protectors exist on the drive to perform the hardware test. |
|
The BitLocker startup key or recovery password cannot be found on the USB device. Verify that you have the correct USB device, that the USB device is plugged into the computer on an active USB port, restart the computer, and then try again. If the problem persists, contact the computer manufacturer for BIOS upgrade instructions. |
|
The BitLocker startup key or recovery password file provided is corrupt or invalid. Verify that you have the correct startup key or recovery password file and try again. |
|
The BitLocker encryption key cannot be obtained from the startup key or recovery password. Verify that you have the correct startup key or recovery password and try again. |
|
The Trusted Platform Module (TPM) is disabled. The TPM must be enabled, initialized, and have valid ownership before it can be used with BitLocker Drive Encryption. |
|
The BitLocker configuration of the specified drive cannot be managed because this computer is currently operating in Safe Mode. While in Safe Mode, BitLocker Drive Encryption can only be used for recovery purposes. |
|
The Trusted Platform Module (TPM) was not able to unlock the drive because the system boot information has changed or a PIN was not provided correctly. Verify that the drive has not been tampered with and that changes to the system boot information were caused by a trusted source. After verifying that the drive is safe to access, use the BitLocker recovery console to unlock the drive and then suspend and resume BitLocker to update system boot information that BitLocker associates with this drive. |
|
The BitLocker encryption key cannot be obtained from the Trusted Platform Module (TPM). |
|
The BitLocker encryption key cannot be obtained from the Trusted Platform Module (TPM) and PIN. |
|
A boot application has changed since BitLocker Drive Encryption was enabled. |
|
The Boot Configuration Data (BCD) settings have changed since BitLocker Drive Encryption was enabled. |
|
The Group Policy setting requiring FIPS compliance prohibits the use of unencrypted keys, which prevents BitLocker from being suspended on this drive. Please contact your domain administrator for more information. |
|
This drive cannot be encrypted by BitLocker Drive Encryption because the file system does not extend to the end of the drive. Repartition this drive and then try again. |
|
BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions. |
|
This version of Windows does not include BitLocker Drive Encryption. To use BitLocker Drive Encryption, please upgrade the operating system. |
|
BitLocker Drive Encryption cannot be used because critical BitLocker system files are missing or corrupted. Use Windows Startup Repair to restore these files to your computer. |
|
The drive cannot be locked when the drive is in use. |
|
The access token associated with the current thread is not an impersonated token. |
|
The BitLocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available. |
|
You must restart your computer before continuing with BitLocker Drive Encryption. |
|
Drive encryption cannot occur while boot debugging is enabled. Use the bcdedit command-line tool to turn off boot debugging. |
|
No action was taken as BitLocker Drive Encryption is in raw access mode. |
|
BitLocker Drive Encryption cannot enter raw access mode for this drive because the drive is currently in use. |
|
The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption integrity-protected application is incorrect. Please verify and correct your BCD settings and try again. |
|
BitLocker Drive Encryption can only be used for limited provisioning or recovery purposes when the computer is running in pre-installation or recovery environments. |
|
The auto-unlock master key was not available from the operating system drive. |
|
The system firmware failed to enable clearing of system memory when the computer was restarted. |
|
The hidden drive cannot be encrypted. |
|
BitLocker encryption keys were ignored because the drive was in a transient state. |
|
Public key based protectors are not allowed on this drive. |
|
BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. |
|
This version of Windows does not support this feature of BitLocker Drive Encryption. To use this feature, upgrade the operating system. |
|
The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information. |
|
Group policy settings do not permit the creation of a recovery password. |
|
Group policy settings require the creation of a recovery password. |
|
Group policy settings do not permit the creation of a recovery key. |
|
Group policy settings require the creation of a recovery key. |
|
Group policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option. |
|
Group policy settings require the use of a PIN at startup. Please choose this BitLocker startup option. |
|
Group policy settings do not permit the use of a startup key. Please choose a different BitLocker startup option. |
|
Group policy settings require the use of a startup key. Please choose this BitLocker startup option. |
|
Group policy settings do not permit the use of a startup key and PIN. Please choose a different BitLocker startup option. |
|
Group policy settings require the use of a startup key and PIN. Please choose this BitLocker startup option. |
|
Group policy does not permit the use of TPM-only at startup. Please choose a different BitLocker startup option. |
|
Group policy settings require the use of TPM-only at startup. Please choose this BitLocker startup option. |
|
The PIN provided does not meet minimum or maximum length requirements. |
|
The key protector is not supported by the version of BitLocker Drive Encryption currently on the drive. Upgrade the drive to add the key protector. |
|
Group policy settings do not permit the creation of a password. |
|
Group policy settings require the creation of a password. |
|
The group policy setting requiring FIPS compliance prevented the password from being generated or used. Please contact your domain administrator for more information. |
|
A password cannot be added to the operating system drive. |
|
The BitLocker object identifier (OID) on the drive appears to be invalid or corrupt. Use manage-BDE to reset the OID on this drive. |
|
The drive is too small to be protected using BitLocker Drive Encryption. |
|
The selected discovery drive type is incompatible with the file system on the drive. BitLocker To Go discovery drives must be created on FAT formatted drives. |
|
The selected discovery drive type is not allowed by the computer's Group Policy settings. Verify that Group Policy settings allow the creation of discovery drives for use with BitLocker To Go. |
|
Group Policy settings do not permit user certificates such as smart cards to be used with BitLocker Drive Encryption. |
|
Group Policy settings require that you have a valid user certificate, such as a smart card, to be used with BitLocker Drive Encryption. |
|
Group Policy settings requires that you use a smart card-based key protector with BitLocker Drive Encryption. |
|
Group Policy settings do not permit BitLocker-protected fixed data drives to be automatically unlocked. |
|
Group Policy settings do not permit BitLocker-protected removable data drives to be automatically unlocked. |
|
Group Policy settings do not permit you to configure BitLocker Drive Encryption on removable data drives. |
|
Group Policy settings do not permit you to turn on BitLocker Drive Encryption on removable data drives. Please contact your system administrator if you need to turn on BitLocker. |
|
Group Policy settings do not permit turning off BitLocker Drive Encryption on removable data drives. Please contact your system administrator if you need to turn off BitLocker. |
|
Your password does not meet minimum password length requirements. By default, passwords must be at least 8 characters in length. Check with your system administrator for the password length requirement in your organization. |
|
Your password does not meet the complexity requirements set by your system administrator. Try adding upper and lowercase characters, numbers, and symbols. |
|
This drive cannot be encrypted because it is reserved for Windows System Recovery Options. |
|
BitLocker Drive Encryption cannot be applied to this drive because of conflicting Group Policy settings. BitLocker cannot be configured to automatically unlock fixed data drives when user recovery options are disabled. If you want BitLocker-protected fixed data drives to be automatically unlocked after key validation has occurred, please ask your system administrator to resolve the settings conflict before enabling BitLocker. |
|
BitLocker Drive Encryption cannot be applied to this drive because of conflicting Group Policy settings. BitLocker cannot be configured to automatically unlock removable data drives when user recovery option are disabled. If you want BitLocker-protected removable data drives to be automatically unlocked after key validation has occured, please ask your system administrator to resolve the settings conflict before enabling BitLocker. |
|
The Enhanced Key Usage (EKU) attribute of the specified certificate does not permit it to be used for BitLocker Drive Encryption. BitLocker does not require that a certificate have an EKU attribute, but if one is configured it must be set to an object identifier (OID) that matches the OID configured for BitLocker. |
|
BitLocker Drive Encryption cannot be applied to this drive as currently configured because of Group Policy settings. The certificate you provided for drive encryption is self-signed. Current Group Policy settings do not permit the use of self-signed certificates. Obtain a new certificate from your certification authority before attempting to enable BitLocker. |
|
BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker. |
|
BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker. |
|
The requested virtualization size is too big. |
|
BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker. |
|
BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on fixed data drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker. |
|
BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on removable data drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker. |
|
The Key Usage (KU) attribute of the specified certificate does not permit it to be used for BitLocker Drive Encryption. BitLocker does not require that a certificate have a KU attribute, but if one is configured it must be set to either Key Encipherment or Key Agreement. |
|
The private key associated with the specified certificate cannot be authorized. The private key authorization was either not provided or the provided authorization was invalid. |
|
Removal of the data recovery agent certificate must be done using the Certificates snap-in. |
|
This drive was encrypted using the version of BitLocker Drive Encryption included with Windows Vista and Windows Server 2008 which does not support organizational identifiers. To specify organizational identifiers for this drive upgrade the drive encryption to the latest version using the "manage-bde -upgrade" command. |
|
The drive cannot be locked because it is automatically unlocked on this computer. Remove the automatic unlock protector to lock this drive. |
|
The default Bitlocker Key Derivation Function SP800-56A for ECC smart cards is not supported by your smart card. The Group Policy setting requiring FIPS-compliance prevents BitLocker from using any other key derivation function for encryption. You have to use a FIPS compliant smart card in FIPS restricted environments. |
|
The BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM) and enhanced PIN. Try using a PIN containing only numerals. |
|
The requested TPM PIN contains invalid characters. |
|
The management information stored on the drive contained an unknown type. If you are using an old version of Windows, try accessing the drive from the latest version. |
|
The feature is only supported on EFI systems. |
|
More than one Network Key Protector certificate has been found on the system. |
|
Removal of the Network Key Protector certificate must be done using the Certificates snap-in. |
|
An invalid certificate has been found in the Network Key Protector certificate store. |
|
This drive isn't protected with a PIN. |
|
Please enter the correct current PIN. |
|
You must be logged on with an administrator account to change the PIN or password. Click the link to reset the PIN or password as an administrator. |
|
BitLocker has disabled PIN and password changes after too many failed requests. Click the link to reset the PIN or password as an administrator. |
|
Your system administrator requires that passwords contain only printable ASCII characters. This includes unaccented letters (A-Z, a-z), numbers (0-9), space, arithmetic signs, common punctuation, separators, and the following symbols: # $ & @ ^ _ ~ . |
|
BitLocker Drive Encryption only supports used space only encryption on thin provisioned storage. |
|
BitLocker Drive Encryption does not support wiping free space on thin provisioned storage. |
|
The required authentication key length is not supported by the drive. |
|
This drive isn't protected with a password. |
|
Please enter the correct current password. |
|
The password cannot exceed 256 characters. |
|
A password key protector cannot be added because a TPM protector exists on the drive. |
|
A TPM key protector cannot be added because a password protector exists on the drive. |
|
This command can only be performed from the coordinator node for the specified CSV volume. |
|
This command cannot be performed on a volume when it is part of a cluster. |
|
BitLocker did not revert to using BitLocker software encryption due to group policy configuration. |
|
The drive cannot be managed by BitLocker because the drive's hardware encryption feature is already in use. |
|
Group Policy settings do not allow the use of hardware-based encryption. |
|
The drive specified does not support hardware-based encryption. |
|
BitLocker cannot be upgraded during disk encryption or decryption. |
|
Discovery Volumes are not supported for volumes using hardware encryption. |
|
No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume. |
|
No pre-boot keyboard or Windows Recovery Environment detected. The user may not be able to provide required input to unlock the volume. |
|
Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device. The user may not be able to provide required input to unlock the volume. |
|
Group Policy settings require the creation of a recovery password, but neither a pre-boot keyboard nor Windows Recovery Environment is available on this device. The user may not be able to provide required input to unlock the volume. |
|
Wipe of free space is not currently taking place. |
|
BitLocker cannot use Secure Boot for platform integrity because Secure Boot has been disabled. |
|
BitLocker cannot use Secure Boot for platform integrity because the Secure Boot configuration does not meet the requirements for BitLocker. |
|
Your computer doesn't support BitLocker hardware-based encryption. Check with your computer manufacturer for firmware updates. |
|
BitLocker cannot be enabled on the volume because it contains a Volume Shadow Copy. Remove all Volume Shadow Copies before encrypting the volume. |
|
BitLocker Drive Encryption cannot be applied to this drive because the Group Policy setting for Enhanced Boot Configuration Data contains invalid data. Please have your system administrator resolve this invalid configuration before attempting to enable BitLocker. |
|
This PC's firmware is not capable of supporting hardware encryption. |
|
BitLocker has disabled password changes after too many failed requests. Click the link to reset the password as an administrator. |
|
You must be logged on with an administrator account to change the password. Click the link to reset the password as an administrator. |
|
BitLocker cannot save the recovery password because the specified Microsoft account is Suspended. |
|
BitLocker cannot save the recovery password because the specified MIcrosoft account is Blocked. |
|
This PC is not provisioned to support device encryption. Please enable BitLocker on all volumes to comply with device encryption policy. |
|
This PC cannot support device encryption because unencrypted fixed data volumes are present. |
|
This PC does not meet the hardware requirements to support device encryption. |
|
This PC cannot support device encryption because WinRE is not properly configured. |
|
Protection is enabled on the volume but has been suspended. This is likely to have happened due to an update being applied to your system. Please try again after a reboot. |
|
This PC is not provisioned to support device encryption. |
|
Device Lock has been triggered due to too many incorrect password attempts. |
|
Protection has not been enabled on the volume. Enabling protection requires a connected account. If you already have a connected account and are seeing this error, please refer to the event log for more information. |
|
Your PIN can only contain numbers from 0 to 9. |
|
BitLocker cannot use hardware replay protection because no counter is available on your PC. |
|
Device Lockout state validation failed due to counter mismatch. |
|
The input buffer is too large. |
Requirements
| Requirement | Value |
|---|---|
| Header |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for