BitLocker initialisation failed, now cannot access boot drive and key not accepted RRS feed

  • Question

  • Hi,

    I've got an issue enabling BitLocker on an HP 250 G4 laptop running Windows 10 Pro 1709.

    I tried several times to enable BitLocker - the system has a TPM module, and I was selecting to also required a USB drive at boot-up - I didn't required a PIN.

    On each occasion after BitLocker restarted from it's initial test I received the message "BitLocker could not be enabled", "The BitLocker encryption key cannot be obtained. Verify the the Trusted Platform Module (TPM) is enabled and owenership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available. C: was not encrypted."

    After a few more tries I eventually ended up on the blue "enter your key" screen when restarting - although I don't think I ever managed to complete the initial BitLocker verification.

    I have it set to store the BitLocker Recovery Passwords in our AD - and I have a record for this computer which shows a matching Password ID. However when I enter the Recovery Password shown against this it tells me the password doesn't match the drive.

    I've also removed the drive from the laptop and connected it to another computer - supplied the same Recovery Password when prompted - but again I'm told it's incorrect.

    Can anyone help me understand what's gone wrong here?



    Saturday, November 18, 2017 11:11 AM

All replies

  • Here's what I mean - clearly the details have been recorded in AD - it all matches. But as you can see on the machine it won't unlock!

    Sunday, November 19, 2017 5:22 PM
  • Your recovery key does not work for some reason and you already checked that the key ID in AD is matching the requested key ID. So all you can do is try from another windows instance: boot setup (win10 1709), when the setup  screen shows, press shift F10 and a command line will appear. There, identify how setup has enumerated the system drive (which drive letter has it assigned to what you know as c:) for example by using the diskpart command  - normally, it would be d:. Best would be to run manage-bde -status c: and ...d: and ...e: for all partition visible so that you see the identifier and know which partition to work on.

    To repair using a recovery password: 

    repair-bde C: Z: -rp your_repair_password

    If that does not work, you will need to resort to your latest backup.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, November 22, 2017 6:55 AM