none
Unable to get Bitlocker to Encrypt Drive

    Question

  • I am having a major problem with Bitlocker on my Windows 7, 64-bit, Hewlett Packard 6005 desktop computer.  I have all of the policy settings for Bitlocker configured according to what I am pretty sure are the right settings.  The TPM is compatible and initialized and active.  Then I run through the rest of the setup, saving the bitlocker encryption password out to a network drive, the bitlocker partition gets created, however when I restart the PC to kick off the encryption, it never starts.  When I check the status of the encryption it just keep showing that the drive is fully decrypted.

    We use a pre-configured image to deply our systems.  The BitLocker encryption was intitally working when we first created the image.  I deployed the image to my computer, ran through the BitLocker Wizard, and the drive encrypted fully.  My supervisor wanted me to test to make sure the drive could also be decrypted, so I ran the option to decrypt the drive and all worked great.  But somewhere along the way, the encryption function stopped working.  It goes through all of the proper steps to Bitlocker the drive but never gives is any errors that it won't run or that it never completes.  Typically when the encryption is running a notification icon appears in the system tray to show you the status of the encryption completion.  This never appears.  And if encryption was properly running, then if I go back into Control Panel, BitLocker it would show the status of the encryption, instead it just shows the option to turn on BitLocker.

    I thought that perhaps a Windows Update along the way may have corrupted the ability to run BitLocker.  So I started from scratch with a cleanly formatted drive and installed the Windows 7, 64-Bit Operating System with Service Pack 1.  I configured the drive on the network and before any updates were allowed to drop to it, I configured the policy for BitLocker and ran through the process of the BitLocker setup wizard to encrypt the drive.  Again, it never actually ran although it went through all of the proper steps to start the encryption it never gave any error that it did not run.

    At this point, I am not sure what else to try next and hope by my description of the issue above, someone might have experienced this issue before and might have a solution to resolve it.

    Thanks in advance for any help.

    Tuesday, February 21, 2012 3:19 PM

Answers

  • Well we were finally able to resolve our own problem.  The problem we were having with clients not being able to be Bitlockered successfully was a script that we had associated with one of the organizational units (OU) in Active Directory (AD).  The script was written to automatically decrypt a bitlockered encrypted drive.  When we dropped machine accounts into that OU, the drives would automatically start decrypting.  We actually forgot about it.  Once we disassocaiated that script from the OU, we were able to successfully start Bitlocker and have it run to completion and have the drives stay encrypted. 

    So we resolved our own problem.  Hopefully this will help someone else who may be encountering the same issue and be oblivious to the fact that a policy or script is the culprit.

    This issue is resolved.

    • Marked as answer by lawrin1958 Tuesday, April 24, 2012 11:32 AM
    Tuesday, April 24, 2012 11:32 AM

All replies

  • Hi,

    Regarding this issue, I suggest you first update BIOS on your computer. After that, please use manage-bde commands to enable BitLocker. For more information, please refer to the following article:

    http://technet.microsoft.com/en-us/library/dd894351(v=ws.10).aspx

    Best regards,
    Della Li

    Thursday, February 23, 2012 2:13 AM
  • Hello,

    Thanks for the response.  I updated the BIOS on my system and that did not resolve the issue.  I have not had a chance to try the command line tool yet.  It is kind of confusing to me exactly how to setup the correct syntax for the command given all the different switches.  But I will give that a try.

    Thanks,
    Lawrin

    Wednesday, February 29, 2012 6:09 PM
  • Well, it seems that I have figured out a WORKAROUND that seems to be working. 

    When you run the BitLocker Wizard, one of the last screens you see in the wizard shows the option to "Run BitLocker System Check"  The system check will ensure that BitLocker can read the recovery and encryptiong keys correctly before encrypting the drive.  It will restart the computer and test the system before encrypting.  However, on my system, with that option checked, BitLocker NEVER starts when the computer restarts.  There are no visible error messages that pop-up to tell me that it isn't running.  My only indication that it isn't running is that there is no padlock icon on the C:\ drive and there is a Warning message that gets logged into the System Event Log that says "an attempt to automatically restart conversion on volume c: failed (Event ID #24592).

    BUT, when I run the BitLocker wizard and DO NOT check the option to "Run BitLocker System Check", the Continue button now becomes a "Start Encrypting" button.  When I click Start Encrypting, encryption runs just fine and fully encrypts the drive.  So I can use this method to encrypt my drives.

    One wierd thing though.  I noticed that in certain situations, Decryption will automatically start with no notification.  Case in point.  The other day I wanted to test to make sure that I could access the BitLockered drive with the recovery key if I tried to boot it up in another machine on my network.  We are on a domain using DHCP network addressing.  The other machine had a different MAC address, but I was able to boot up the drive (after entering the recovery key) and it did get an IP address assigned to it.  However, when I went to boot the drive back up in the original machine it was BitLockered in, I was not able to log onto the domain with my domain credentials.  I had to rejoin it to the domain.  After rejoinint the domain, and restarted the computer, Decryption automatically started and fully decrypted my drive.  Now I have to encrypt it again which means I have to save a  new recovery key.  Not sure why this automatically happens, but at least I can move forward to encrypted our Windows 7 drives on our network.

    Lawrin

    Friday, March 16, 2012 1:45 PM
  • Well now it seems I have encountered a different dilema with BitLocker.  Now for some reason the drives are NOT staying Encrypted.   Something is triggering something to cause the drive to automatically start Decrypting.  On my computer in particular, I have had to run BitLocker 5 times within the past two weeks because something is causing my drive to automatically start decrypting.  I encrypted my drive yesterday because I noticed that it was no longer encrypted.  When I left for the day, the C:\ drive icon was showing the lock icon on the drive icon and it showed that BitLocker was turned on.

    Today a couple of my programs locked up to the point where I had to restart my computer.  When I restarted I noticed that everything was really slow and when I clicked on the start button and selected Computer, I noticed that my C:\ drive icon space was all red and showing no space, and the little lock icon that denotes Bitlocker being turned on was no longer there.  When I went to Control Panel and into BitLocker, it showed that the drive was decrypting and I had not issued a request for it to be decrypted.

    I work for the federal government and we have pre-configured images that we have to deploy to our users.  When we first started deploying Windows 7 back in Sep/Oct 2011, we had no problem whatsoever deploying BitLocker and encrypting the drives.  A handful of machines that we deployed and Bitlockered back during that time frame are all still encrypted.  All of the images that we have deployed over the past three months have been unable to be Bitlockered, and if we finally get the BitLockered with the workaround I referenced above, they don't stay that was for long and automatically decrypt.

    Nothing has changed on our image except for updates to periodic software updates to Flashplayer, Java, Shockwave, Adobe Reader and Windows Updates.  So my only conculsion is that it could possibly be a Windows Update that is causing my issue, but I have no way of figuring out which one may be the culprit.  Besides, our systems are linked to a Windows Update Server, so if I remove an update, I won't have a chance to test BitLocker Encryption before the update will automatically be installed again.

    I don't know where to go from here and I am  hoping that someone out there is possibly experiencing the same problem and can maybe shed some light on what the problem might be.

    Thank you

    • Marked as answer by lawrin1958 Tuesday, April 24, 2012 11:27 AM
    • Unmarked as answer by lawrin1958 Tuesday, April 24, 2012 11:27 AM
    Tuesday, March 27, 2012 7:00 PM
  • Well we were finally able to resolve our own problem.  The problem we were having with clients not being able to be Bitlockered successfully was a script that we had associated with one of the organizational units (OU) in Active Directory (AD).  The script was written to automatically decrypt a bitlockered encrypted drive.  When we dropped machine accounts into that OU, the drives would automatically start decrypting.  We actually forgot about it.  Once we disassocaiated that script from the OU, we were able to successfully start Bitlocker and have it run to completion and have the drives stay encrypted. 

    So we resolved our own problem.  Hopefully this will help someone else who may be encountering the same issue and be oblivious to the fact that a policy or script is the culprit.

    This issue is resolved.

    • Marked as answer by lawrin1958 Tuesday, April 24, 2012 11:32 AM
    Tuesday, April 24, 2012 11:32 AM