0X80310020

Fix FVE_E_OS_NOT_PROTECTED (0X80310020) - Boot Drive Not Encrypted

Hardware – Hard Drives Intermediate 👁 1 views 📅 Jun 8, 2026

Your boot drive isn't BitLocker protected due to a missing TPM or corrupted metadata. Fix it by reinitializing TPM and re-enabling encryption.

Quick Answer

Run manage-bde -on C: from an elevated command prompt, then reboot. If it fails, clear and reinitialize the TPM via tpm.msc or BIOS.

What’s Going On Here?

This error means Windows thinks your boot volume (the C drive) is supposed to be encrypted with BitLocker, but the TPM chip isn't playing ball. I've seen this mostly on Dell and HP business laptops after a BIOS update or when someone accidentally cleared the TPM in the firmware settings. The OS sees the TPM as absent or uninitialized, so it refuses to protect the volume. Had a client last month whose entire print queue died because of this — their IT guy wiped the TPM trying to fix a different boot issue and broke BitLocker.

The error code 0X80310020 specifically comes from the BitLocker driver’s integrity check. It's not a data-loss error, but it does mean encryption is off, so your drive is readable if stolen. Don't panic — you can fix it without reinstalling Windows.

Step-by-Step Fix

  1. Open an elevated command prompt. Hit the Start button, type cmd, right-click Command Prompt, and pick “Run as administrator.” Accept the UAC prompt.
  2. Check TPM status. Type tpm.msc and hit Enter. If the TPM Management console shows “Compatible TPM cannot be found,” skip to the alternative fixes below. If it shows the TPM is present but not ready, click “Prepare the TPM” on the right-hand panel. Wait 30 seconds.
  3. Initialize the TPM from BIOS. If step 2 fails, reboot and enter your BIOS (usually F2 or Del on boot). Look for a “Security” or “Trusted Computing” tab. Find “TPM Device” or “PTT” and set it to “Enabled” or “Firmware TPM.” Save and exit. Reboot into Windows.
  4. Enable BitLocker again. Back at the elevated command prompt, run:
    manage-bde -on C:
    If it says the drive is already encrypted but protection is off, run:
    manage-bde -protectors -enable C:
  5. Reboot twice. This forces the TPM to take ownership of the keys. First reboot solidifies the protection, second reboot confirms it's active.
  6. Verify encryption. In the same command prompt, type:
    manage-bde -status C:
    Look for “Protection Status: On” and “Encryption Percentage: 100%.”

Alternative Fixes (When the Main One Fails)

Option 1: Clear TPM from BIOS. In BIOS, find the TPM menu and choose “Clear” or “Reset.” This wipes the TPM’s stored keys. Reboot, then reinitialize it from Windows using tpm.msc. I’ve had to do this on a few Lenovo ThinkPads where the TPM got stuck in a weird state after a firmware update.

Option 2: Disable and re-enable BitLocker via Group Policy. Run gpedit.msc, go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set “Require additional authentication at startup” to “Enabled” and check “Allow BitLocker without a compatible TPM.” Apply, reboot, then run manage-bde -on C: again. This works when the TPM is present but Windows refuses to acknowledge it.

Option 3: Check for pending Windows Updates. Some cumulative updates fix TPM driver bugs. Open Settings > Update & Security > Check for updates. Install any pending ones, reboot, then retry. Had a client on a Surface Pro 7 where a missing update fixed this exact error.

Option 4: Use PowerShell to reset BitLocker metadata. Only do this if you're comfortable backing up first. Run as admin:

Get-BitLockerVolume -MountPoint C: | Disable-BitLocker -Force
Manage-BDE -off C:
Wait for decryption to finish (check with manage-bde -status), then run manage-bde -on C: fresh. This nukes corrupted metadata.

Prevention Tips

  • Never clear TPM without suspending BitLocker first. If you need to reset the TPM for any reason, run manage-bde -protectors -disable C: first, then clear, then re-enable with manage-bde -protectors -enable C:. Saves hours of headache.
  • Keep BIOS and firmware updated. Outdated TPM firmware triggers this error on AMD Ryzen laptops. Check your OEM’s support page quarterly.
  • Save your recovery key. Print it or store it in your Microsoft account. If things go sideways, you won’t lose data. I’ve pulled three people out of the fire with saved keys this year.
  • Test encryption after BIOS updates. Run manage-bde -status after any firmware change. If it shows “Protection Off,” re-enable with the command from step 4 above.

Real talk: This error is almost always a TPM hiccup, not a drive failure. Stick to the steps above, and you’ll be back in business in under 15 minutes. If you hit a wall, check Event Viewer under System for TPM-related warning events — often points to the exact culprit.

Was this solution helpful?

FVE_E_OS_NOT_PROTECTED 0X80310020 BitLocker boot volume protection TPM not detected BitLocker error boot drive fix BitLocker error Windows BitLocker recovery re-enable BitLocker manage-bde command TPM initialization