Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
WatchGuard Full Encryption encrypts and decrypts computer drives and removable storage devices, without any impact to users. Full Encryption takes advantage of hardware resources, such as a Trusted Platform Module (TPM) chip and Microsoft BitLocker technology, to encrypt and decrypt drives. For more information, see About Full Encryption.
Troubleshoot a BitLocker Recovery Key
Microsoft BitLocker requests a recovery key at system startup. If you enter a recovery key but BitLocker indicates that the key is incorrect, you can access previous recovery keys that Full Encryption stores. For more information, see Manage Recovery Keys in Full Encryption.
If BitLocker rejects the recovery key you submit, make sure that the typed character string is correct and contains no spaces. In some cases, software other than the WatchGuard Agent might have modified the BitLocker configuration. If so, BitLocker might require a recovery key that it associates with a recovery key ID that is not stored in Full Encryption. When you request a recovery key from Full Encryption, verify the request with the recovery key ID that BitLocker shows.
If you do not see a recovery key ID at Computers > Details > Get Recovery Key, it is likely a device system change was made outside of Full Encryption, and Full Encryption does not have a recovery key that pairs with the recovery key ID.
Troubleshoot TPM Chip and Policy Errors
Full Encryption uses Trusted Platform Module (TPM) technology to manage the encryption of WatchGuard Endpoint Security protected computers. Some computers have a TPM chip installed on their motherboard. For these computers, when you log in, the computer uses the TPM chip to help protect sensitive data and stored passwords. TPM also detects any changes in the boot events of the computer. For more information, see About Trusted Platform Module Technology (Windows Computers).
You might see these TPM errors on your device:
Error -2144272203
This error might occur on tablet devices. When the error occurs, it is an indication that you must enable a local policy to use the virtual keyboard of the device. You must enable the virtual keyboard of the device so that you can enter a password in the pre-boot phase of the system boot.
To enable the local policy:
- Select Start > Run, and run the gpedit.msc command.
The Local Group Policy Editor shows. - Browse to:
Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives - From Operating System Drives, select Enable Use of BitLocker Authentication Requiring Preboot Keyboard Input on Slates, click Policy Setting, and enable the local policy.
- Restart the computer.
Error -2144272280
This error might occur when you try to encrypt a computer, and after you enter a password, but before the encryption process starts. The cause of the error is that the password does not meet the minimum number of characters that the system requires. Use a password that meets the minimum length specified in the Configure Minimum PIN Length for Startup policy.
An error might also occur if some local policies are not activated. Make sure that a global policy does not exist that prevents the modification of local policies.
If no such global policy issues exist, make sure to enable these local policies:
- Browse to this location:
Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives - Enable these policies:
- Require Additional Authentication at Startup
- Allow Enhanced PINs for Startup
- Configure Minimum PIN Length for Startup
- Configure Use of Passwords for Operating System Drives
- Choose How BitLocker-Protected Operating System Drives Can Be Recovered
- Restart the computer.
- Try to encrypt a drive.
Collect Data
If you still have issues, collect this information and send it to Support:
- Description of the issue.
- Enable and collect advanced logs.
- Use Pserrortrace to generate a diagnostic file.
- Use the PSInfo tool to gather logs.