none
Unable to encrypt Drive with Bit Locker RRS feed

  • Question

  • Hello,

    I am working as IT administrator in my organization and have a client who has this issue with Bit Locker. When I try to enable Bit Locker on his machine, I get the error as follows:

    C:\WINDOWS\system32>manage-bde -on C: 
    BitLocker Drive Encryption: Configuration Tool version 10.0.14393 
    Copyright (C) 2013 Microsoft Corporation. All rights reserved. 

    Volume C: [System] 
    [OS Volume] 
    ERROR: Specifying the parameter '-StartupKey' or '-Password' is required to 
    BitLocker-protect the OS volume. 

    Type "manage-bde -on -?" for more information. 

    NOTE: If the -on switch has failed to add key protectors or start encryption, 
    you may need to call "manage-bde -off" before attempting -on again. 

    C:\WINDOWS\system32> 

    The Drive status is unlocked and it is not encrypted plus running "manage-bde -off" yields nothing. The only recent change done on his system was the installation of 1607 Windows 10 Update via policy. The only option we are at now is to re-format the system as there is no recovery key available under Sophos Management Console which is used as the database to manage Bit Locker Keys. It throws an error of Missing POA or Key information if we try to get recovery key for this computer. Is there any way we can fix the Bit Locker encryption to work or reset is the only option? Please let me know in case of any additional information.

    Thanks,

    Wednesday, February 28, 2018 4:59 AM

All replies

  • There are policies enforced that won't let you turn on bitlocker that way, but, as said, require an additional password or PIN protector.

    manage-bde -on c: -tp -rp


    Wednesday, February 28, 2018 9:13 AM
  • This is the current drive status if that helps:

    C:\WINDOWS\system32>manage-bde -status
    BitLocker Drive Encryption: Configuration Tool version 10.0.14393
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: [System]
    [OS Volume]

        Size:                 475.13 GB
        BitLocker Version:    None
        Conversion Status:    Fully Decrypted
        Percentage Encrypted: 0.0%
        Encryption Method:    None
        Protection Status:    Protection Off
        Lock Status:          Unlocked
        Identification Field: None
        Key Protectors:       None Found

    Still get the same error

    Wednesday, February 28, 2018 10:12 AM
  • "Still get the same error" - "still"? what did you do, use my script line? Ok, looking at the error message again, I see the problem: you need to specify a password or startup key.

    manage-bde -on c: -pw -rp

    Wednesday, February 28, 2018 10:21 AM
  • Apologies for any confusion. Yes, I used the script line. I did the following on the client computer and currently, the drive is encrypted 32%

    Right click on C Drive, Turn On Bit Locker, created a password as it prompted to use for every login, saved the recovery key and rebooted the system. Now when I run manage-bde -status, it is encrypting.

    Is there a way to stop prompting it for password on every boot though?

    Thanks,

    Wednesday, February 28, 2018 11:28 AM
  • Does your machine have a TPM chip? If so, enable the tpm and use a TPM protector like this:

    manage-bde -protectors -delete -type password c:

    (removes the password again)

    and

    manage-bde -protectors -add -tpm c:

    (adds a TPM protector for automatic unlocking at startup).


    Wednesday, February 28, 2018 11:50 AM
  • Thanks so much for the response. It seems something is wrong with the TPM chip of the machine. I will try to check BIOS and try the command again. For now, at least I have Bit Locker encryption enabled for the client. Will post my results soon,

    Thanks,

    Wednesday, February 28, 2018 1:34 PM
  • Please be aware that if you remove the password using that command and you are unable to activate the TPM, then only the recovery key enables you to boot the machine, so please take good care of it.

    manage-bde -protectors -get c:

    displays it once more ("numerical password", 48 digits).

    Wednesday, February 28, 2018 1:46 PM