none
ERROR - the ProtectKeyWithTPMAndPIN Method failed with the exit code: 8031005B RRS feed

  • Question

  • Hello

    I am using the EnableBitlocker.vbs script to automatically assign the TPM and start the encryption. I am running it from an elevated command prompt. Here is are the arguments I am running with

    cscript EnableBitLocker.vbs /on:tp /l:c:\bitlockerlog.log /promptuser /ro:"MBAM" on

    All is well and it prompts the user for a PIN but then it fails.

    Here is the full log file. I haven't been able to find any info on the error code in the subject.

    Script processing started  02/07/2014       14:43:27
    Proper number of command line arguments passed to the script
    -----------------------------------------------------------------------
    ---------------Executing with the following arguments------------------
    -----------------------------------------------------------------------
    Enable parameters: tp
    Logging location: c:\bitlockerlog.log
    Create recovery key: No recovery key use specified
    Encryption method: 3
    Create SMS status MIF's: No SMS status MIF's will be created
    Reset TPM ownership: 1
    User prompting: 1
    -----------------------------------------------------------------------
    Connection succeeded to MicrosoftTPM
    Successfully retrieved a TPM instance from the Win32_TPM provider class
    TPM found in the following state:
    Enabled - True
    Activated - True
    Owned - True
    Connection succeeded to MicrosoftVolumeEncryption
    TPM is in a ready state to enable BitLocker.
    Change TPM owner password specified on the command line.
    Random TPM owner password is: ;&K:)BU65|c7_v2n
    Completed converting old owner password to owner authorization:  0
    Completed converting owner password to owner authorization:  0
    Starting to change owner authorization process on the TPM
    ERROR - Failed to change owner authorization on the TPM with the following exit code:  80280001
    Successfully connected to WMI StdRegProv
    Checking if Group Policy encryption method is set...
    Found EncryptionMethod with value: 4
    Found EncryptionMethod policy registry key ignoring any /em options on command line
    Found ActiveDirectoryBackup with value: 1
    Found RequireActiveDirectoryBackup with value: 1
    Determined client Group Policy configured to require AD escrow of recovery password
    EncryptableVolumes count is: 1
    The EncryptableVolume(s) found: \\?\Volume{ad6db324-01dd-11e4-8272-806e6f6e6963}\
    EncryptableVolume used for encryption is: C:
    The volume has a protection status of: 0
    BitLocker Protection is Off
    Get conversion status is: 0
    The volume has a status of fully decrypted
    The following user is logged on: MGMT\80151318-sys
    Attempting to enable BitLocker TPM + Pin
    ERROR - the ProtectKeyWithTPMAndPIN Method failed with the exit code:  8031005B
    Script ended  02/07/2014       14:43:51

    Any and all help would be appreciated. This has worked before on a different laptop.

    Thanks

    Wednesday, July 2, 2014 4:15 PM

Answers

  • Hi,

    This error indicates that the group policy isn't set correctly, when configure the group policy at teh server side, you should notice that only one of the additional authentication can be required at start up , otherwise a policy occurs, the notice can be found just like below:

    and after test, the error indeed occurs, just like the screen below:

    So, I suggest to check the group policy for bitlocker settings, you can only choose one start up authentication method.

    Regards


    Wade Liu
    TechNet Community Support


    Friday, July 4, 2014 10:56 AM

All replies

  • Hi,

    This error indicates that the group policy isn't set correctly, when configure the group policy at teh server side, you should notice that only one of the additional authentication can be required at start up , otherwise a policy occurs, the notice can be found just like below:

    and after test, the error indeed occurs, just like the screen below:

    So, I suggest to check the group policy for bitlocker settings, you can only choose one start up authentication method.

    Regards


    Wade Liu
    TechNet Community Support


    Friday, July 4, 2014 10:56 AM
  • I know this is kind of a negro post.

    But since I´ve "googled" hours of finding some information this was one of the first hits ive got. In my case I got the same error "ERROR - the ProtectKeyWithTPMAndPIN Method failed with the exit code:  80310068" on my existing deployment with Windows 8.1 Enterprise while switching over to Windows 10 Enterprise.

    Solution for me: change the initial password length triggerd by my script from 4 chars to 8 chars.

    There is a GPO ".\Windows Cmponnents\Bitlocker Drive Encryption\Fixed Data Drives\Configure use of passwords for fixed data drives" which indicates that there is a minimium of 8 chars for a password.

    This setting takes effect on Windows 10 machines while they obviosly ignored by our Windows 8.1 machines.

    This may help some of you with same "migration" issue.

    cheers ;-)

    Friday, February 8, 2019 11:31 AM