none
BitLocker cannot start RRS feed

  • Question

  • Dear All,

    I am managing a domain with WindowsServer 2008R2. I have several users that using OS Windows 7, 8.1 and 10.

    I want to start encrypt all domain computers with BitLocker. I just want to start with my computer to encrypt but I received following failure;

    TPM is on and cleared.

    "Require additional authentication" is enabled in GPO
    >>Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives 

    I am logged in as admin to my computer.

    So do you have any suggestion to fix this issue?

    My second question is; is there anyway to start encryption remotely for all computers in my domain?

    Wednesday, June 28, 2017 6:30 AM

Answers

  • It's fixed!!

    I just started to disable one-by-one GPO roles in test environment. And I realized there are some roles are active by Acronis user.

    Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment;
    Adjust memory quotas for a process
    Log on as a service
    Modify firmware environment values
    Replace a process level token

    So, I tried to disable them and it worked! Thank you very much for your guide!!

    New challenge is; I want to prepare an instruction for my users to start their Bitlocker for encryption by their self. But Bitlocler needs admin rights. Is there any way to give only BitLocker access to users?

    • Marked as answer by Ogi Onculer Saturday, July 15, 2017 5:25 AM
    Friday, July 14, 2017 1:12 PM

All replies

  • This will be a funny effect, it should not occur under normal conditions.

    Please retry on the elevated command line (right click cmd.exe and select "run as administrator"):

    manage-bde -on c: -used -rp

    See if that let's you start BL encryption. if not, please quote the error message. Also try to unset your GPO - it is not needed if you plan to use the TPM.

    --

    2nd question: for volume license customers, there is a software benefit available called MBAM. MBAM helps you with deployment and monitoring. If you don't have access to MBAM, you will need to use scripts, I  could help you, in case.

    Wednesday, June 28, 2017 6:45 AM
  • This will be a funny effect, it should not occur under normal conditions.

    Please retry on the elevated command line (right click cmd.exe and select "run as administrator"):

    manage-bde -on c: -used -rp

    See if that let's you start BL encryption. if not, please quote the error message. Also try to unset your GPO - it is not needed if you plan to use the TPM.

    --

    2nd question: for volume license customers, there is a software benefit available called MBAM. MBAM helps you with deployment and monitoring. If you don't have access to MBAM, you will need to use scripts, I  could help you, in case.

    Hello,

    Here is the failure; 

    PS C:\WINDOWS\system32> manage-bde -on c:  -used -rp
    BitLocker Drive Encryption: Configuration Tool version 10.0.15063
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume C: [OS]
    [OS Volume]
    Key Protectors Added:

        Numerical Password:
          ID: {*****-****-*****-***********}
          Password:
            *****-*****-*****-*****-*****-*****

    ERROR: An error occurred (code 0x80070522):
    A required privilege is not held by the client.

    NOTE: If the -on switch has failed to add key protectors or start encryption,
    you may need to call "manage-bde -off" before attempting -on again.

    Wednesday, June 28, 2017 7:42 AM
  • This message would be expected behavior if you are not administrator or you don't run the command prompt elevated. If that does not apply, please retry on a test system and you will see it works.
    Wednesday, June 28, 2017 8:06 AM
  • This message would be expected behavior if you are not administrator or you don't run the command prompt elevated. If that does not apply, please retry on a test system and you will see it works.

    Hello Ronald,

    Unfortunately, I also tried with domain admin access but it is same. Also It is same with another computer in my domain.

    I have Sophos antivirus. Do you think it may cause the problem? I tried to disable it but nothing is changed. Maybe I should uninstall it? 

    Wednesday, June 28, 2017 8:18 AM
  • This message would be expected behavior if you are not administrator or you don't run the command prompt elevated. If that does not apply, please retry on a test system and you will see it works.

    BTW, TPM is on but "prepare the tpm" is greyed out in tpm.msc

    Any reason?

    Wednesday, June 28, 2017 10:20 AM
  • Try on a clean computer without Sophos. A very vague theory would be, that some Anti-ransomware software is detecting encryption processes and stops them - but that is far fetched.

    The TPM is already prepared, that's why it's greyed out.

    Wednesday, June 28, 2017 12:35 PM
  • Try on a clean computer without Sophos. A very vague theory would be, that some Anti-ransomware software is detecting encryption processes and stops them - but that is far fetched.

    The TPM is already prepared, that's why it's greyed out.

    Well, I just wiped the computer and re-install OS. When I try to turn on bitlocker, it was successful before I joined to my domain.

    But just after I joined to domain, I received the same failure again. Once again, I am logged on with enterprise admin account.

    Is there anyway to disable UAC for bitlocker on GPO?

    Thursday, June 29, 2017 5:08 AM
  • ogionculer, I am 100% sure UAC has nothing to do with it. Your AD imposes some Bitlocker policies and I see 2 possible reasons for this misbehavior:

    1 you use both GPOs and also registry keys for bitlocker - if those registry keys "contradict" the GPOs, unexpected results are seen. ->check for deployed registry settings that have "FVE" in their path (FVE=full volume encryption)

    2 you have enforced recovery key AD backup but somehow misconfigured the access rights for the computer objects in AD ->check what non-standard access rights for writing object attributes might be enforced.

    I am pretty sure it is 2.

    Thursday, June 29, 2017 7:39 AM
  • ogionculer, I am 100% sure UAC has nothing to do with it. Your AD imposes some Bitlocker policies and I see 2 possible reasons for this misbehavior:

    1 you use both GPOs and also registry keys for bitlocker - if those registry keys "contradict" the GPOs, unexpected results are seen. ->check for deployed registry settings that have "FVE" in their path (FVE=full volume encryption)

    2 you have enforced recovery key AD backup but somehow misconfigured the access rights for the computer objects in AD ->check what non-standard access rights for writing object attributes might be enforced.

    I am pretty sure it is 2.

    Dear Ronald,

    Thank you for your support again. I tried to check what you asked;

    1- There is no any rule for Registry in GPO

    2- I don't understand what exactly I need to check. I opened AD Users and Computers and open "attribute editor" for computers OU. But I couldn't find what you asked. Or I am maybe totally on the wrong way. May I ask you to explain what exactly I need to check, in details?

    Thursday, June 29, 2017 11:08 AM
  • BTW,

    I tried to change some settings in GPO. When I set following properties, "turn on bitlocker" is worked.

    After a few step is passed, It asked me to provide a pin. And when I typed a pin the same failure appeared again.

    So I believe the problem is with GPO. Because something is changed after I set the settings as I shared. Maybe there is another option that I must check in GPO. Any idea about it?

    ps.: It shows supported on "windows 7". But I am using Windows 10. Do you think it causes the issue?

    Thursday, June 29, 2017 12:23 PM
  • You should use GPOs that are made for win10. I would set that GPO back to "unconfigured" and use the win10 GPOs. Those are either configured using a central store or using RSAT from win10.

    Thursday, June 29, 2017 2:29 PM
  • You should use GPOs that are made for win10. I would set that GPO back to "unconfigured" and use the win10 GPOs. Those are either configured using a central store or using RSAT from win10.

    Hello Ronald,

    I downloaded ADMX file for Windows 10. But it is same..

    By the way, I have new clues... When I try to start BitLocker with OS Win8.1, it is working in the same domain. Problem is definitely with OS Win10.

    I moved my computer and user in a new OU and set as "block inheritance". Then it worked in my OS Win10 computer. So somehow Win10 computers are not set by correct GPO settings. But I am pretty sure that I download and install successfully new ADMX. 

    So with these result, you have any new opinion?

    Thursday, July 6, 2017 5:27 AM
  • Ogi, are you aware that there are two "require additional startup..."-policies in the new ADMX files, one for win8.1/10 and one for win7? Use the correct one on win10. Works here.
    Monday, July 10, 2017 7:31 AM
  • Ogi, are you aware that there are two "require additional startup..."-policies in the new ADMX files, one for win8.1/10 and one for win7? Use the correct one on win10. Works here.

    I tried both... But same :( 

    tip: it is not written as 8.1/10. Do you think have problem? But i am pretty sure that I installed 10 ADMX.

    Wednesday, July 12, 2017 1:07 PM
  • My mistake. Yes, the policies you list are ok, one type for vista/server 2008 and the other for all newer OS', which is what you should be using. Hmmm.

    Let's go one step back to "2 you have enforced recovery key AD backup but somehow misconfigured the access rights for the computer objects in AD ->check what non-standard access rights for writing object attributes might be enforced." ->open the computer object of your test machine in ADUC, select "properties" and go to the security tab and see whether these permissions are as expected. We are doing this to verify if the machine account, which would be called "self" in the ACL, has every permission needed. It would, by default. So you could restore defaults there. There is a button to restore permission defaults there - then retry.

    Thursday, July 13, 2017 7:33 AM
  • I checked where you asked. "SELF" has following permissions by default;

    Create all child objects, Delete all child objects, Validated write to DNS host name, Validated write to service principal name, Read personal information, Write personal information, Special permissions

    I tried to set full control and try again. But it is same.. Then I restored ask you asked and it is same again ... :(

    "A required privilege is not held by the client"

    Friday, July 14, 2017 10:38 AM
  • Sorry, I cannot think of a reason.

    You will have to go the hard route of monitoring. Setup a test domain and a test computer in hyper-v, repeat the steps and you'll see it works. Use procmon/wireshark to see what happens in detail. It seems there is something broken (or simply overlooked again and again).

    Friday, July 14, 2017 11:26 AM
  • It's fixed!!

    I just started to disable one-by-one GPO roles in test environment. And I realized there are some roles are active by Acronis user.

    Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment;
    Adjust memory quotas for a process
    Log on as a service
    Modify firmware environment values
    Replace a process level token

    So, I tried to disable them and it worked! Thank you very much for your guide!!

    New challenge is; I want to prepare an instruction for my users to start their Bitlocker for encryption by their self. But Bitlocler needs admin rights. Is there any way to give only BitLocker access to users?

    • Marked as answer by Ogi Onculer Saturday, July 15, 2017 5:25 AM
    Friday, July 14, 2017 1:12 PM
  • Great, Ogi!

    It would be very nice to pinpoint this issue, so please find out by try and error which particular policy it was and list it here, so that me and others can learn from it. :-)

    Your new challenge: please open a new question. I am sure I can help you with that, since we have prepared all that for non-admins, too - it was my project.

    Friday, July 14, 2017 1:53 PM
  • Great, Ogi!

    It would be very nice to pinpoint this issue, so please find out by try and error which particular policy it was and list it here, so that me and others can learn from it. :-)

    Your new challenge: please open a new question. I am sure I can help you with that, since we have prepared all that for non-admins, too - it was my project.

    ;) 

    https://social.technet.microsoft.com/Forums/en-US/8e1639de-e767-4d8d-93fd-ca9f94ccbad3/permissions-for-bitlocker?forum=winserverGP

    Saturday, July 15, 2017 5:30 AM
  • I know this is really old, however I can confirm that setting User Rights Assignment "Modify firmware environment values" to nothing causes BitLocker to give this error message.
    Thursday, March 28, 2019 1:28 AM