Full Encryption Errors

Applies To: WatchGuard Full Encryption

This feature is only available to participants in the WatchGuard Endpoint Security Beta program.

This topic describes some of the most common errors that can occur during encryption of computers by Full Encryption:

To see encryption status errors, in the WatchGuard Endpoint Security web UI:

  1. Select Status > Full Encryption.

  1. On the dashboard, in the Encryption Status tile, select Errors.
    The Encryption Status list opens and shows all errors. Some error messages depend on the settings defined for Full Encryption. To see error details, select an error message in the table.

Encryption Errors Pending User Action

When a password or reboot is required, these error messages could appear.

Error Description/Solution
Error 232

This error message occurs when Full Encryption tries to encrypt the Windows Server Core.

On the Windows Server Core, the bdehdcfg component is not available by default. This component is necessary for Full Encryption to encrypt this operating system. To avoid the error message, follow Microsoft's instructions to download and install the component, and retry encryption.

If the problem persists, collect data from the computer, and report the issue to WatchGuard Support.


The TPM is disabled.
-2144272329 The group policy setting that requires FIPS compliance prevents a local recovery password from being generated and written to the key backup file. Encryption continues.
-2144272290 The group policy for encryption without TPM is not set. Enable the Require additional authentication at startup group policy, and select the Allow BitLocker without a compatible TPM check box.
-2144272177 See Microsoft COM Error Codes (TPM, PLA, FVE).


TPM is disabled.

Errors Encrypting the Computer

Encryption errors have various causes and can require different solutions.

If the computer can only be encrypted with a USB drive for authentication, but the option to encrypt this type of computer is disabled in the encryption settings, you must assign the computer settings with encryption disabled.

If the computer does not support the authentication method selected in the settings. Do not ask for a password to access the computer. To apply this method, the computer must have a security processor (TPM). Edit the settings and verify that the problem is resolved.

Error Description/Solution
-2144862202 The TPM is inactive.
-2144862188 The TPM already has an owner.
-2144272293 The group policy for the specified authentication method is not set. Enable the Require additional authentication at startup group policy.
-2144862208 See Microsoft COM Error Codes (TPM, PLA, FVE).
-2144845809 A compatible TPM security device cannot be found on this computer.
-2144272203 This error message is caused by a Microsoft known issue that affects Microsoft Surface Pro.

This Microsoft known issue requires you to manually set a BitLocker Group Policy Object (GPO). The policy setting enables users to enable authentication options that require user input from the pre-boot environment, even if the platform indicates a lack of pre-boot input capability. For more information, see Enable the Local Group Policy.

Enable the Local Group Policy

To enable the Local Group Policy for BitLocker:

  1. Press the Windows key + R.
  2. In the Run dialog box, type gpedit.msc.
  3. Click OK.
  4. In the Local Computer Policy section, navigate to Computer Configuration > Administrative Templates > Windows Component > BitLocker Drive Encryption > Operating System Drives.
  5. Select the Enable use of BitLocker authentication requiring pre-boot keyboard input on slates policy option to enable it.

When this option is enabled, devices must have an alternative means of pre-boot input, such as an attached USB keyboard.

  1. Reboot the computer.
    If the problem persists, contact Technical Support.