none
Bitlocker Policy Error on Flash Drive Encryption

    Question

  • Hello,

    In our organization we have a policy to require Bitlocker flash drive encryption. This is set via Group Policy. I am having an issue on some computers where when they select to encrypt their flash drive for the first time, they get the following error message:

    BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings.
    When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker.

    Comparing to my laptop which is working, here is what I've gathered:

    • Same OU/Group Policies
    • No group memberships
    • Same TPM settings in BIOS and TPM Management Console
    • Tried multiple flash drives
    • Doesn't matter who is logged in. Local admin, Domain Admin, or the user of the machine.

    We do not require a USB startup key (obviously) and the policy is set to store the recovery passwords and key packages in AD DS. Another thing is the workstation HD is encrypted and the recovery key is in AD, so that tells me at least at one point it had a healthy relationship with the DCs.

    I am convinced it is not an issue with the policy, as there are currently only 2 users complaining of this issue out of 450. Where do I go on the workstation side of things to see what is happening? For your peace of mind, I have isolated the workstation in it's own OU with only one policy applied. Here is what the policy looks like-

    

    Monday, July 6, 2015 2:12 PM

Answers

  • So I ended up opening a ticket with Microsoft. The solution was to change the following registry value from 1 to 0:

    HKLM\Software\Policies\Microsoft\FVE\EnableBDEWithNoTPM

    For some reason I am guessing during Windows installation it didn't detect the TPM correctly and put that in there. Who knows. Working now!

    • Marked as answer by flakesam Thursday, September 3, 2015 1:34 PM
    Thursday, September 3, 2015 1:34 PM

All replies

  • Hi.

    Run rsop.msc at the client. Maybe local policies interfere.

    Monday, July 6, 2015 7:56 PM
  • Forgot to mention that. RSoP and gpresult are showing correct- I disabled both local policies (user and computer)
    Monday, July 6, 2015 8:16 PM
  • Hi,

    According to your screenshot, I guess this problem might be cause by the policy: "Deny write access to removable drives not protected by BitLocker" was enabled.

    Please try to disable this policy for test.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 7, 2015 2:48 AM
    Moderator
  • I disabled the "Deny write access to removable drives" for this machine and it will allow the encryption to work. The recovery password was added into the computer object. This tells me there is a healthy relationship between the computer and the domain.

    The problem is that we don't want this allowed and the policy is working perfectly to our entire organization with the exception of a few computers. It has to be an issue with either the way the workstation is applying the policies or something else with the workstation itself.

    Friday, July 10, 2015 7:47 PM
  • Since other PC which enabled the policy and BitLocker encryption works correctly. Have you tried to run GPResult command to check their Group Policy status?

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 13, 2015 2:12 AM
    Moderator
  • Yes, I have done that and also RSoP. Everything checks out.
    Friday, July 17, 2015 4:40 PM
  • Hi,

    Would you please upload the gpresult to OndeDrive and post the download link here?


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 20, 2015 2:44 AM
    Moderator
  • Here is a download. I replaced our domain and org info from the source just because, you know, internet. I also only ran results for the computer policies. I know the issue isn't with the user policies since that particular user can encrypt on other machines, and I cannot encrypt on hers.

    https://drive.google.com/file/d/0By3NxA_ZuCt2TGVqdnhGajd6dkE/view

    Monday, July 20, 2015 6:58 PM
  • Hi,

    I was already checked the GPreport and you can remove it from download for secure.

    For your problem, According to the error message, it indicated that bitlcoker need Startup key on USB drive during Windows startup. This requirement would occurs on Windows 7, Windows Server 2008 R2 or former Widnows edition. Because if PC doesn't contain TPM module, we need to enable the policy:

    Require additional authenatication at startup

    There is a difference between Windows 7 and Windows 8.1. In Windows 7, when this policy enabled, USB drive with startup key is necessary, while Windows 8.1 is not.

    Now we came back to your problem, if this is Windows 7 without TPM module, you may encounter this error message when applying policy. But if it is Windows 8.1, the error message would disapper. Please check it.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 21, 2015 4:30 AM
    Moderator
  • I had the same issue recently and I think it was related to the deployment of the OS using SCCM  and enabling BitLocker as one of the task sequences.

    I haven't determined the exact cause yet, but the workaround was to turn off BitLocker, unencrypt the OS drive, turn it back on and encrypt it again.

    I know this doesn't make much sense based on the error message and the fact that the problem is with encrypting a USB device, but it worked for me.

    Tuesday, July 21, 2015 6:21 PM
  • Roger,

    Thanks for the reply. The machine DOES have a TPM module and it is enabled in BIOS with the same settings as other laptops of the same model that are working. I had come to the same conclusion as you but I wasn't sure where to go since it was enabled.

    Thursday, July 23, 2015 5:01 PM
  • Thank you, I will try this!
    Thursday, July 23, 2015 5:01 PM
  • Hi,

    How about your problem now? You can follow the steps below to check TPM status:

    Open Run, type tpm.msc, Press Enter.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 27, 2015 1:49 AM
    Moderator
  • L.S. - Unfortunately, un-encrypting and re-encrypting the hard drive did not work. Still getting the same message.

    Roger - I have compared all the settings in tpm.msc to a working machine and they are exactly the same :(

    Wednesday, July 29, 2015 12:28 PM
  • So I ended up opening a ticket with Microsoft. The solution was to change the following registry value from 1 to 0:

    HKLM\Software\Policies\Microsoft\FVE\EnableBDEWithNoTPM

    For some reason I am guessing during Windows installation it didn't detect the TPM correctly and put that in there. Who knows. Working now!

    • Marked as answer by flakesam Thursday, September 3, 2015 1:34 PM
    Thursday, September 3, 2015 1:34 PM