Windows 11 BitLocker loop #40809
Description
Fleet version:
Server: Fleet 4.81.0 • Go go1.25.7
Agent: 1.52.1
Web browser and operating system: Agent OS is Windows 11 Pro 24H2 / 25H2
💥 Actual behavior
I am managing upwards of 100 machines with Fleet, and 3 of those (all Windows 11 Pro) are stuck in an encrypt/decrypt loop. The machines start out unencrypted, then Fleet is installed and the machines are added to a team that has disk encryption enforced. The machines encrypt, then error out, decrypt, then Fleet pushes another encryption request, they encrypt, decrypt, and the cycle continues.
🛠️ To fix
🧑💻 Steps to reproduce
I have not found a way to reproduce this yet.
🕯️ More info (optional)
All 3 machines having this issue are different spec, vendor, and even Windows 11 Pro version (two are 25H2, one is 24H2).
I have tried the following with no change:
- removing them from the Team, wait a couple days, add back to Team
- reinstalling Fleet agent
- upgrading Fleet (this has been going on for around 1 month)
Here is the Fleet error in the admin console:
The Fleet activity log mentions a key escrow on every reencrypt attempt.