Re: Bitlocker Invalid Namespace Windows 11
Alfonzo Liebenstein
Please follow this guide to fix Bitlokcer Invalid Namespace Error
computer issue solution expert: Bitlokcer Invalid Namespace Error (techvisitworld.blogspot.com)
-invalid-namespace-error.html
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
Just checking in to see if the information provided was helpful.
If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.
Hi, team! Thank you for your help @Castorix31 and @Percival Yang ! I followed the instructions you provided and initially the CMD didn't find the 'win32_encryptablevolume.mof' file, then I save the info you shared to a .txt file with the given name, closed it and ran it as administrator, it gave me a successful message, but when I entered the mofcomp.exe win32_encryptablevolume.mof, it showed me the error again that it didn't find the file. What else can I do?
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
After running "Repair WMI" on a Windows 7 System with Bitlocker Drive encrytion, the Bitlocker WMI namespace is not available anymore.
Running "manage-bde -status" get back error 0x8004100e.
To fix this issue you have run manually "winmgmt /resetrepository" after using "Repair WMI" in SCCM Client Center.
We experience exactly the same. We operate +15000 Windows 7 ultimate devices with bitlocker. On those systems where we run the wmirepair we get the same error.
We are able to reproduce this on more machines.
BL is active, just not yet secure.
If you boot from a USB recovery you should be able to see the partition (C drive) is not formatted / unknown format, which indicates it is encrypted.
If you can see the partition and files then you can backup prior to reinstalling.
If you have a Local ID (have not logged in with a MS ID so that the key is stored on MS Servers), the key is stored in plain text on the computer. If you boot the computer from a rescue disk you can access it.
I have no use for encryption, and I disabled Bitlocker in Services long ago. After every update/upgrade I always check Services first to ensure that Bitlocker remains disabled, and that Windows Search (indexing) remains disabled.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things. We were all once "Average Users".Computer Specs
I have a new windows 11 we got for the office, local account. One that has no data on it, we just use it for meetings, etc. Let me grab it this week (but not tonight) and see if it has the staged bitlocker. It is one of the newish ARM based machines so in case that adds a wrinkle. Let me get the patching analysis behind me and I can look at it.
See Add-BitLockerKeyProtector (BitLocker) Microsoft Learn for details on the BitLocker KeyProtector. This being Microsoft documentation you can be led down a deep rabbit hole as almost nothing is straight forward.
Is there any other way to find the Bitlocker key without resorting to a Microsoft account? And if the key cannot be elucidated without involving a Microsoft Account, is it advisable to turn off Device Encryption in Settings?
What does the first PowerShell command, Get-BitLockerVolume (which also has to be run from PowerShell (Admin)) show for C: under Volume Status, Key Protector and Protection Status?
Edit
It seems the clear keys are stored on the encrypted volume in the BL metadata (which is not encrypted).
This means that Windows should never ask for the recovery key as long as the clear key is present, so issues we are seeing imply that the recovery key has been automatically backed up somewhere and the clear key removed.
If this is the case then a warning to users if the clear key is present, or a simple recovery key export attempt should be standard practice for all new machines, with regular checks if the disk remains encrypted but not protected to remind the user of the potential for data loss.
Edit
It seems the clear keys are stored on the encrypted volume in the BL metadata (which is not encrypted).
This means that Windows should never ask for the recovery key as long as the clear key is present, so issues we are seeing imply that the recovery key has been automatically backed up somewhere and the clear key removed.
In this blog post, I am going to show some simple steps that you can add to your Task Sequences to be able to detect, disable, and enable BitLocker status. This can be useful (and necessary) when performing activities like flashing the BIOS, running the new MBR2GPT utility, or upgrading to a newer version of Windows. In Configuration Manager, there are a few Task Sequence steps that are for BitLocker configuration and management:
This will check the BitLocker status on the C: drive (which is hopefully the OS drive). Keep in mind that if there are other data volumes that are BitLocker encrypted, these will need to be detected and decrypted first. Those systems can be filtered out in the collection targeting or it can be built into the Task Sequence using the same logic as above.
Next, add an Enable BitLocker step under the Re-enable BitLocker Group (with the option set Current operating system drive). Since the drive is already encrypted, this step will just re-enable the key protectors if they are currently disabled (like if you used managed-bde and specified a reboot count).
Remember that the built in Disable BitLocker step will only disable BitLocker for one reboot (similar to what happens when you suspend BitLocker from the Control Panel applet), but if you used manage-bde with -RC 0, you will need to re-enable BitLocker.
root\cimv2\Security\MicrosoftVolumeEncryption is a secured namespace so it can only be viewed elevated. If testing from the admin console, you will need to launch the console as administrator in order to be able to use the Test Query feature.
You need to delete the protectors and recreate them once the system is UEFI. Depending on the encryption algorithm you are using, you might be better off decrypting and encrypting with a newer encryption algorithm. Check this blog for more details on the different types: -aes-xts-new-encryption-type/
-Mike
On the re-enable bitlocker step, the condition for OSDBitLockerStatus equals protected. In my test this does not re-enable BitLocker as it says the condition is FALSE, which is correct as I disabled BitLocker earlier in the TS.
Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
d3342ee215