none
Group Policy settings for BitLocker startup options are in conflict RRS feed

  • Question

  • I have a user who would like to encrypt his drives with bitlocker. We have no policies in-place to control this so he should be able to do it. He encrypted his C drive and all went well. He has a second internal hard drive (E:) too and that one will not encrypted. When he tries to enabled BL he gets an error... Again, there are not GPO's controlling this however there are some local policies in-place that I assume got created when he encrypted his C drive. How can we work around this error?

    Volume E: [Stuff]

    [Data Volume]

    ERROR: An error occurred (code 0x8031005b):

    The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.


    John Marcum | Microsoft MVP - Enterprise Client Management
    My blog: System Center Admin | Twitter: @SCCM_Marcum | Linkedin: John Marcum

    Thursday, February 11, 2016 2:00 PM

Answers

  • Hi,

    In addition, you can try this configuration to see the results:

    If you have a motherboard and a BIOS compatible with a TPM, you can uncheck the first option "Allow Bitlocker without a compatible TPM".

    Then, Microsoft has made a mistake with the terms that are being used (in my point of view) : in fact, you have to understand you cannot "require" an option if you "allow" some others...

    So you have 2 choices :

     - either you "allow" each option so you can choose which one when you set Bitlocker on,

     - or you can "require" an option and disable all the others, so you will not be able to make a choice when you set bitlocker on.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by John Marcum Monday, February 15, 2016 3:17 PM
    Monday, February 15, 2016 2:57 AM
    Owner

All replies

  • Hi,

    First, please check if your users has put the recovery key on the E drive he want to encrypt.

    Make sure to set the similar GP for data drive in gpedit and see if he can do this now.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Friday, February 12, 2016 3:41 AM
    Owner
  • I sent your info to the user, I'll let you know what we find. However he didn't set any local GPO's himself. We think they were set automatically when he encrypted C:.

    John Marcum | Microsoft MVP - Enterprise Client Management
    My blog: System Center Admin | Twitter: @SCCM_Marcum | Linkedin: John Marcum

    Friday, February 12, 2016 2:06 PM
  • Hi,

    In addition, you can try this configuration to see the results:

    If you have a motherboard and a BIOS compatible with a TPM, you can uncheck the first option "Allow Bitlocker without a compatible TPM".

    Then, Microsoft has made a mistake with the terms that are being used (in my point of view) : in fact, you have to understand you cannot "require" an option if you "allow" some others...

    So you have 2 choices :

     - either you "allow" each option so you can choose which one when you set Bitlocker on,

     - or you can "require" an option and disable all the others, so you will not be able to make a choice when you set bitlocker on.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by John Marcum Monday, February 15, 2016 3:17 PM
    Monday, February 15, 2016 2:57 AM
    Owner