Sysprep Fails on Windows 11 25H2 with Error 0x80310039 – BitLocker Enabled on OS Volume (4381184)

When running Sysprep on Windows 11 25H2, the process may fail during the generalize phase with the following error in the Sysprep logs (C:\Windows\System32\Sysprep\Panther\setuperr.log or sysprep.log):

Error SYSPRP BitLocker-Sysprep: BitLocker is on for the OS volume. Turn BitLocker off to run Sysprep. (0x80310039)

This can occur even if BitLocker was not manually enabled. On supported hardware, Windows 11 25H2 may automatically activate device encryption/BitLocker during the initial setup.

Sysprep cannot continue while BitLocker protection is enabled on the system drive (C:). During the generalize phase, Sysprep needs unrestricted access to system files and registry hives. If the OS volume is still encrypted, the internal check ValidateBitLockerState fails with error code 0x80310039, and Sysprep is aborted.

On Windows 11 25H2, BitLocker or Device Encryption is often turned on automatically for devices that meet Microsoft’s requirements (such as TPM 2.0 and Modern Standby). As a result, a fresh installation may already have encryption active without the administrator explicitly enabling it.

1. Verify BitLocker status

Open Command Prompt as Administrator and run:

manage-bde -status C:

If the output shows Conversion Status: Fully Encrypted or Conversion Status: Decryption in Progress, BitLocker is active on the OS volume.

2. Turn off BitLocker completely

From the same elevated Command Prompt, run:

manage-bde -off C:

This command starts the decryption process on drive C:. The drive will remain accessible during decryption.

3. Wait until decryption finishes (critical step)

The administrator must wait until decryption has fully completed before running Sysprep again. To monitor progress, use:

manage-bde -status C:

Only proceed once the output shows values similar to:

Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Protection Status: Protection Off

Important: If Sysprep is executed while Conversion Status: Decryption in Progress is still displayed, the same error (0x80310039) is likely to occur again. Do not interrupt or cancel the decryption process and avoid unnecessary reboots until it completes.

4. Rerun Sysprep

After confirming that the OS volume is fully decrypted, rerun Sysprep

At this point, the ValidateBitLockerState check should succeed, and Sysprep will continue normally.

Additional Notes

• After capturing or deploying the image, BitLocker can be re-enabled with:

  manage-bde -on C:

• This behavior has been observed specifically on Windows 11 25H2 where device encryption is enabled automatically during installation.