none
Can't enable BitLocker on c:\ drive RRS feed

  • Question

  • Hello,
    Previously the machine was using 3rd party disk encryption. After it was decrypted and I check TPM.MSC, I see that it shows the following:

    It's worth mentioning that the machine in question already has some BitLocker settings applied through GPO. The delivered settings are minimal and basic and supplying the following settings:

    Computer Configuration\Administrative Templates\Windows Components\Windows Security\Device security
    Disable TPM clear button
    Hide the TPM Firmware Update recommendation

    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive EncryptionChoose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data DrivesDeny write access to fixed drives not protected by BitLocker
    Setting:  Enable

    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data DrivesEnforce drive encryption type on fixed data drives
    Setting: 
     Enable – Full encryption

    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data DrivesChoose how BitLocker-protected fixed drives can be recovered 
    Setting: 
     BitLocker recovery information will be saved to Active Directory

    Results of:
    Get-TPM

    Starting encryption:

    Error after reboot:

    What I'm missing?


    Memento Mori

    Monday, November 4, 2019 3:03 PM

All replies

  • Seems to be a TPM malfunction. Can you clear it and retry?

    Monday, November 4, 2019 3:14 PM
  • Clearing TPM would highly-likely require physical presence in front of the machine, I don't have that option, as the solution needs to be deployed across multiple machines. There's an option to control BIOS remotely through PowerShell commands provided by the vendor, however for "Set TPM to factory settings" I'm getting Access Denied, although I'm executing it correctly.

    It can very well be a situation with the BIOS/TPM itself that would require some additional changes/reset/adjustment, however from purely Windows perspective - am I missing anything?

    Memento Mori

    Monday, November 4, 2019 3:31 PM
  • The powershell command is clear-tpm. It can be executed using an immediate task, so it is deployable, no physical presence required. However, this was just an idea, just a test - do it manually, before proceeding.

    Your Screenshot shows "clear TPM", although the policy "Disable TPM clear button" is active - hmm. But anyway, try it.

    Monday, November 4, 2019 3:35 PM
  • It shows that physical presence is required:


    Memento Mori

    Monday, November 4, 2019 4:50 PM
  • Please read https://ladyitris.wordpress.com/manage-the-physical-presence-interface/ which could help to clear it without physical presence.
    Tuesday, November 5, 2019 12:09 PM
  • Hi, 

    Any update?

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 8:29 AM
    Moderator