⚠️ Troubleshooting Guide

Common problems and solutions for securing your system

Windows Troubleshooting

🔐 BitLocker Not Available

You can't find the BitLocker option in your Control Panel or settings.

💡 Solution:

  • BitLocker is only available on Windows Pro, Enterprise, and Education editions
  • Windows Home does NOT support BitLocker
  • Check your Windows edition: Settings → System → About
  • Alternative: Download and use VeraCrypt (free, open-source)
  • VeraCrypt download: veracrypt.fr

🔐 TPM Error When Enabling BitLocker

Error message: "This device can't use a Trusted Platform Module (TPM)"

💡 Solution:

  • Press Win + R, type: gpedit.msc
  • Navigate to: Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives
  • Double-click "Require additional authentication at startup"
  • Set to "Enabled"
  • Check "Allow BitLocker without a compatible TPM"
  • Click OK and retry BitLocker setup
  • You'll need to use a password or USB key instead

🔐 BitLocker Encryption Very Slow

BitLocker encryption is taking hours or seems stuck.

💡 This is Normal:

  • Full-disk encryption can take 1-8 hours depending on drive size
  • You CAN use your computer during encryption (performance may be slower)
  • Don't turn off, hibernate, or put computer to sleep during initial encryption
  • Check progress: Control Panel → BitLocker → View status
  • If truly stuck for 12+ hours, restart and encryption will resume

📋 Can't Open secpol.msc

Getting an error when trying to open Local Security Policy (secpol.msc).

💡 Solution:

  • secpol.msc only exists on Pro/Enterprise/Education editions
  • Windows Home users: Use Group Policy Editor instead
  • Press Win + R, type: gpedit.msc
  • Navigate to: Computer Configuration → Windows Settings → Security Settings
  • Alternative: Upgrade to Windows Pro (if budget allows)

📋 Security Log Fills Up Too Quickly

Event Viewer's Security log is constantly full and overwriting events.

💡 Solution:

  • Open Event Viewer: Win + R → eventvwr.msc
  • Navigate to Windows Logs → Security
  • Right-click Security → Properties
  • Increase "Maximum log size" to 200 MB or more
  • Select "Archive the log when full, do not overwrite events"
  • Consider creating Task Scheduler job to auto-backup logs weekly
  • Use filters to reduce logged events (be careful not to miss important ones!)

📋 Too Many Events - Can't Find What I Need

The Security log has thousands of events and it's overwhelming.

💡 Solution - Use Filters:

  • In Event Viewer, right-click Security log → Filter Current Log
  • Filter by Event ID: Enter 4625 for failed logins, 4624 for successful logins
  • Filter by date: Set "Logged" to Last 24 hours or custom range
  • Filter by keywords: Enter username or computer name
  • Save useful filters: Actions → Create Custom View
  • Focus on critical Event IDs: 4625, 4624, 4720, 4732, 4738

🔑 Password Policy Not Working on Existing Passwords

Set password policy but existing users still have weak passwords.

💡 This is Expected Behavior:

  • Password policies only apply to NEW passwords or password changes
  • Existing passwords are grandfathered in
  • Force password reset: Win + R → lusrmgr.msc
  • Right-click each user → "Set Password" manually
  • Or set "Maximum password age" to force periodic changes
  • Users will be prompted to create new password at next login

🔑 Account Locks Out Too Frequently

Users are getting locked out constantly due to failed login attempts.

💡 Solution - Adjust Settings:

  • Open: Win + R → secpol.msc
  • Navigate to Account Policies → Account Lockout Policy
  • Increase "Account lockout threshold" from 5 to 10-15 attempts
  • Increase "Reset account lockout counter after" to 60 minutes
  • Educate users about password requirements
  • Check audit logs for persistent attackers (Event ID 4625)

👥 Can't Access lusrmgr.msc

Local Users and Groups won't open on your system.

💡 Solution:

  • lusrmgr.msc only on Pro/Enterprise/Education editions
  • Alternative 1: Right-click Start → Computer Management → Local Users and Groups
  • Alternative 2: Use Command Prompt as Administrator
  • Change password: net user [username] *
  • Disable user: net user [username] /active:no
  • List users: net user

👥 Lost Admin Password

Changed administrator password and forgot it or didn't write it down.

💡 Solutions (In Order of Difficulty):

  • If another admin account exists: Login with that account
  • Use password reset disk (if you created one beforehand)
  • Boot into Safe Mode and use built-in Administrator account
  • Use Windows installation media to reset password
  • Third-party tools: Ophcrack, Kon-Boot (use at your own risk)
  • Prevention: Always document admin passwords securely!

🛡️ Scheduled Antivirus Scan Doesn't Run

Created the startup scan task but it never executes.

💡 Troubleshooting Steps:

  • Open Task Scheduler: Win + R → taskschd.msc
  • Find your task → Check status is "Ready" not "Disabled"
  • Right-click task → Properties → Verify "Run with highest privileges" is checked
  • Check the path: C:\Program Files\Windows Defender\MpCmdRun.exe
  • Verify arguments: -Scan -ScanType 1
  • Click "History" tab to see error messages
  • Test manually: Right-click task → Run
  • Check Windows Security for scan results

🛡️ Scan Runs But Doesn't Complete

Task starts but scan never finishes or shows results.

💡 Solution:

  • Increase startup delay to 2-3 minutes (system needs time to boot fully)
  • Open Windows Security → Virus & threat protection → Protection history
  • Test command manually: Open Command Prompt as Administrator
  • Run: "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
  • Check system resources during startup - may be too heavy
  • Consider scheduling for 5 minutes after startup instead

⚠️ Still Having Issues?

If problems persist after trying these solutions:

  • Check Windows Update - ensure your system is fully updated
  • Run System File Checker: sfc /scannow in Admin Command Prompt
  • Check Windows Event Viewer for system errors
  • Consult Microsoft Support documentation
  • Post in r/techsupport or Microsoft Community forums

Linux Troubleshooting

🔐 LUKS Encryption Setup Failed

Getting errors when trying to set up LUKS encryption.

💡 Solution:

  • Ensure you have backed up ALL data first
  • Check you're using correct device: lsblk to list drives
  • Install cryptsetup: sudo apt install cryptsetup
  • Unmount the partition first: sudo umount /dev/sdX
  • Format with LUKS: sudo cryptsetup luksFormat /dev/sdX
  • Common error: "Device busy" means partition is mounted - unmount it

📋 Can't View System Logs

journalctl or log files aren't accessible.

💡 Solution:

  • Use sudo: sudo journalctl -xe
  • For auth logs: sudo tail -f /var/log/auth.log
  • If auth.log doesn't exist: sudo journalctl -u ssh
  • Check journald is running: systemctl status systemd-journald
  • Enable persistent storage: Edit /etc/systemd/journald.conf
  • Set: Storage=persistent

🔑 PAM Password Quality Not Working

Password requirements aren't being enforced after PAM configuration.

💡 Solution:

  • Install required package: sudo apt install libpam-pwquality
  • Edit: sudo nano /etc/pam.d/common-password
  • Add BEFORE other password lines: password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
  • Test with a new user or password change
  • Check syntax: No extra spaces or typos

🛡️ ClamAV Scan Not Running

ClamAV scheduled scan isn't executing at startup.

💡 Solution:

  • Check ClamAV is installed: clamscan --version
  • Update virus definitions: sudo freshclam
  • Check crontab: crontab -l
  • Add to crontab: crontab -e
  • Add line: @reboot /usr/bin/clamscan -r /home --log=/var/log/clamav/startup-scan.log
  • Check daemon: systemctl status clamav-daemon
  • Enable daemon: sudo systemctl enable clamav-daemon

👥 Can't Lock/Disable User Account

Commands to disable users aren't working as expected.

💡 Solution:

  • Lock account: sudo usermod -L username
  • Unlock account: sudo usermod -U username
  • Expire account: sudo usermod -e 1 username
  • Check lock status: sudo passwd -S username
  • Delete user: sudo userdel username
  • Delete user + home: sudo userdel -r username

⚠️ Linux-Specific Tips

Linux troubleshooting often requires checking:

  • System logs: sudo journalctl -xb (current boot)
  • Permissions: Many issues are permission-related - use sudo
  • SELinux/AppArmor: May block legitimate actions - check logs
  • Package manager: Update repos with sudo apt update
  • Distributions vary: Commands may differ between Ubuntu, Fedora, Arch, etc.

macOS Troubleshooting

🔐 FileVault Won't Enable

Can't turn on FileVault encryption in System Preferences.

💡 Solution:

  • Ensure you're logged in as an administrator
  • Click the lock icon in System Preferences → Security & Privacy
  • Enter admin password to unlock settings
  • Go to FileVault tab → Click "Turn On FileVault"
  • If greyed out: Your Mac may use an Apple T2 chip with automatic encryption
  • Check encryption status: System Preferences → Security & Privacy → FileVault
  • Terminal check: fdesetup status

🔐 FileVault Recovery Key Lost

Can't find the FileVault recovery key.

💡 Solution:

  • If saved to iCloud: Sign in at appleid.apple.com → Security → Recovery Key
  • If still logged in: System Preferences → Security & Privacy → FileVault → "Create a recovery key"
  • PREVENTION: Store recovery key in multiple secure locations
  • Consider: Password manager, physical safe, trusted family member
  • WARNING: Without recovery key, data is permanently lost if you forget password

📋 Can't Access Console Logs

Console app won't show system logs or appears empty.

💡 Solution:

  • Open Console: Applications → Utilities → Console
  • Click "Start" button in toolbar to start streaming
  • Select device in sidebar (usually your Mac's name)
  • Use search to filter: Enter keywords in search bar
  • Terminal alternative: log show --predicate 'eventMessage contains "error"' --last 1h
  • View specific process: log show --predicate 'process == "loginwindow"'

🔑 Can't Change Password Policy

System Preferences doesn't offer password complexity options.

💡 Solution - Use pwpolicy Command:

  • Open Terminal
  • Set minimum length: sudo pwpolicy -setglobalpolicy 'minChars=12'
  • Require complexity: sudo pwpolicy -setglobalpolicy 'requiresAlpha=1 requiresNumeric=1'
  • Multiple requirements: sudo pwpolicy -setglobalpolicy 'minChars=12 requiresAlpha=1 requiresNumeric=1 requiresSymbol=1'
  • View current policy: sudo pwpolicy -getglobalpolicy

👥 Guest User Can't Be Disabled

Guest User keeps re-enabling itself.

💡 Solution:

  • System Preferences → Users & Groups
  • Click lock icon and authenticate
  • Select "Guest User" in left sidebar
  • Uncheck "Allow guests to log in to this computer"
  • Also uncheck "Allow guest users to connect to shared folders"
  • If it re-enables: May be required by institutional profile
  • Check: System Preferences → Profiles for restrictions

🛡️ XProtect Not Updating

Built-in malware protection isn't getting updates.

💡 Solution:

  • XProtect updates automatically with macOS updates
  • Check for updates: System Preferences → Software Update
  • Force check: sudo softwareupdate -l
  • Install all: sudo softwareupdate -ia
  • XProtect definitions location: /System/Library/CoreServices/XProtect.bundle
  • Consider third-party: ClamXAV, Malwarebytes, or Sophos for additional protection

🔑 Keychain Access Issues

Getting constant keychain password prompts or keychain errors.

💡 Solution:

  • Open Keychain Access (Applications → Utilities)
  • Select "login" keychain in left sidebar
  • Edit → Change Password for Keychain "login"
  • Use your current login password
  • If corrupted: Delete login keychain (backup first!)
  • Logout/login to create new clean keychain
  • Reset all keychains: security delete-keychain ~/Library/Keychains/login.keychain-db

⚠️ macOS-Specific Notes

Important considerations for macOS:

  • System Integrity Protection (SIP) prevents many low-level changes
  • Don't disable SIP unless absolutely necessary and you know what you're doing
  • Gatekeeper may block unsigned applications - right-click → Open to bypass
  • FileVault is very secure but recovery key is CRITICAL - store it safely
  • Apple T2/M1/M2 chips include hardware encryption by default