0x80310018 FVE_E_FAILED_AUTHENTICATION — Windows Error Code

Q: What does the Windows error code 0x80310018 mean?

It is the Win32 / NTSTATUS code FVE_E_FAILED_AUTHENTICATION (decimal -2144272360). BitLocker Drive Encryption authentication failed. The recovery key may be required.

Q: How do I decode 0x80310018 in PowerShell?

Run [ComponentModel.Win32Exception]::new(-2144272360).Message in any PowerShell session. For HRESULT-style codes, use err.exe from the Windows SDK or the WinDbg !error command.

Q: Where does Windows typically log this error?

It depends on the originating subsystem (Windows Update → %WinDir%\WindowsUpdate.log; AD/Kerberos → Security event log on the DC; BSOD → minidump under C:\Windows\Minidump; MSI → %TEMP%\msi*.log; WMI → Microsoft-Windows-WMI-Activity). Always cross-reference the timestamp and module name with the Application and System event logs.

Description

FVE_E_FAILED_AUTHENTICATION (hex code 0x80310018, decimal -2144272360) is a Windows error-level error code in the BitLocker Errors family. Microsoft surfaces this code through the Win32 API, the Common Language Runtime, the kernel, the event log, PowerShell, command-line tools (sfc, dism, gpupdate, sc), and Windows-side applications such as Outlook, Teams, Office, and System Center.

BitLocker Drive Encryption authentication failed. The recovery key may be required.

This page documents what triggers 0x80310018, the most common scenarios where it appears, the likely root causes, and a step-by-step troubleshooting workflow you can run against affected endpoints. It is intended for system administrators, MSP technicians, helpdesk engineers, and anyone diagnosing Windows behavior in a managed environment.

In-depth explanation

This is an error-severity code. Windows uses it to signal a failed operation that prevented the caller from completing its work. The underlying cause can range from a permissions or quota issue to a corrupted system component, missing dependency, or unreachable service.

It is part of the FVE / BitLocker error space. It surfaces in manage-bde, the BitLocker recovery flow, or the Microsoft-Windows-BitLocker-API event log.

The code can be looked up programmatically in PowerShell with [ComponentModel.Win32Exception]::new(-2144272360).Message (for Win32 / NTSTATUS codes that map cleanly), or with net helpmsg <decimal> for the legacy decimal range. For HRESULT-style codes, decode the facility and code with err.exe from the SDK or via the WinDbg !error command.

Common causes

TPM owner password mismatch or PCR values changed (BIOS / Secure Boot toggled).
Recovery key not escrowed in AD / Azure AD / Intune — retrieve from MyAccount portal if user-protector exists.
Boot configuration (BCD) modified by an OS install or partition manager.
Failing system disk — read errors during decryption.
Group Policy mismatch (encryption method, recovery options) causing the volume to refuse to decrypt.

Troubleshooting steps

Run manage-bde -status to identify the protector type and conversion state of the volume.
Retrieve the recovery key from AD (Get-ADComputer -Properties msFVE-RecoveryInformation), Azure AD (Devices > BitLocker keys), or Intune.
If TPM-related: clear the TPM (tpm.msc), boot once successfully, then re-enable BitLocker so a fresh PCR seal is taken.
Check Secure Boot state and BIOS settings — toggling them invalidates the PCR seal and forces recovery.
For decryption errors, run chkdsk /f /r on the affected volume — a failing disk is a common root cause.

Decode in PowerShell

# Decode 0x80310018 (-2144272360) in PowerShell
[ComponentModel.Win32Exception]::new(-2144272360).Message

# Or via WinDbg / err.exe (Windows SDK)
# err 0x80310018

# Or net helpmsg (legacy decimal range only)
# net helpmsg <decimal>

Frequently asked questions

What does the Windows error code 0x80310018 mean?

It is the Win32 / NTSTATUS code FVE_E_FAILED_AUTHENTICATION (decimal -2144272360). BitLocker Drive Encryption authentication failed. The recovery key may be required.

How do I decode 0x80310018 in PowerShell?

Run [ComponentModel.Win32Exception]::new(-2144272360).Message in any PowerShell session. For HRESULT-style codes, use err.exe from the Windows SDK or the WinDbg !error command.

Where does Windows typically log this error?

It depends on the originating subsystem (Windows Update → %WinDir%\WindowsUpdate.log; AD/Kerberos → Security event log on the DC; BSOD → minidump under C:\Windows\Minidump; MSI → %TEMP%\msi*.log; WMI → Microsoft-Windows-WMI-Activity). Always cross-reference the timestamp and module name with the Application and System event logs.

Is this code recoverable?

Critical-severity codes usually require kernel-level investigation (driver, hardware, system file repair). Error and warning codes are typically recoverable through the troubleshooting workflow on this page — start with the elevated-shell + log review steps.

Should I open a Microsoft support case for this?

Open a case if the error reproduces after applying the troubleshooting steps, particularly if it blocks production workloads, occurs across multiple endpoints, or is associated with a security boundary (BitLocker recovery, Kerberos failure, DCOM hardening, SmartScreen / WDAC). Have a fresh CBS log, minidump, or Get-WinEvent export ready before opening the case.