none
BitLocker auto-unlock and some key protector deletions cause 0x80070490 "element not found" error in Windows 7 RTM x64 RRS feed

  • Question

  • I've been writing a GUI tool as a BitLocker enhancement, using Visual Studio 2008 and the WMI class Win32_EncryptableVolume.  The purpose of this tool is to support nearly every BitLocker function available in an easy-to-use GUI that will enable users on all BitLocker-capable versions of Windows (Vista, Server 2008, 7 and Server 2008 R2) to encrypt all of their drives, internal and external, including flash drives.

    As I've developed this application, I've used several computers for testing.  One has Windows Vista Enterprise x86; the others have either Windows 7 Ultimate (RTM) x64 or Windows Server 2008 R2 (RTM) x64.  I use my application, as well as manage-bde and BitLocker wizards to run repeated tests, verifications, etc.

    A peculiar case popped up today, and it has to do with enabling automatic unlocking and key protector management on one of my drives on one of the test machines.  Whenever I try to use the BitLocker wizard (right-click the drive > Manage BitLocker > Turn on Automatic Unlocking on this Computer), I get a red circle with an X and a message that says very plainly, "Element not found."

    I decided to give my GUI application a try at it, and it reported back to me the following:

    1. The external key (BEK) protector was successfully created.  (A BEK must be added that you enable as the auto-unlock key--at least through WMI.)
    2. Enabling auto-unlock failed with the error 0x80070490 ELEMENT_NOT_FOUND.
    3. Subsequent attempt to delete the aformentioned BEK also failed, also with 0x80070490 ELEMENT_NOT_FOUND.

    Interestingly, I can manually add BEK key protectors to the drive, but I can't delete them.  Any attempt to delete them generates element not found.

    Here's the breakdown on the computer in question:

    HP d5200t / Intel Q9650 quad core 3.0 GHz / 8 GB RAM
    Onboard SATA controller (RAID capable), supports 6 devices
    Primary HDD:  640 GB SATA
    Second HDD:  320 GB SATA
    3 & 4 devices:  DVD+-RW, BD-ROM
    5 & 6 HDD:  Twin 250 GB SATA in hardware RAID-1 configuration

    I have a dual-boot configuration:
    The primary HDD contains the Windows Boot Manager in a 100 MB hidden partition named System Reserved.  The primary HDD also contains Windows 7 Ultimate x64.  The 3 & 4 HDD RAID-1 leverages the Windows Boot Manager on the primary HDD, contains Windows Server 2008 R2 x64.

    This problem occurs ONLY when I'm running in Windows 7:
    Drive C is the OS drive, and is encrypted.  (Windows 7)
    Drive D is the RAID-1 drive, and is encrypted.  (Windows Server 2008 R2)
    Drive E is the second (320 GB) HDD, is a data drive, and is encrypted.
    I have a few USB and one FireWire HDDs hooked up as well, all of which are encrypted.
    I am able to enable auto-unlock on the E drive, as well as the USB and FireWire drives without issue in Windows 7.  ONLY the D drive gives me a problem.

    When I boot in Windows Server 2008 R2:
    Drive C is the OS drive, and is encrypted. (Windows Server 2008 R2 - note that the OS drive sees itself as "C" (it was "D" in Windows 7))
    Drive D is the second (320 GB) HDD.
    Drive E is the Windows 7 drive.
    I am able to enable auto-unlock on all of the volumes (except the OS volume -- you cannot enable auto-unlock on the currently running OS volume).  Interestingly, I am able to enable auto-unlock on the volume containing Windows 7!

    I came across an article where someone had an issue with a Windows Vista Restore, where "element not found" popped up.  This individual traced the problem back to the BIOS, where he mentioned that even though he had "USB boot priority" turned off in the BIOS, an externally-attached USB disk was still showing as the first boot option in the hard drives.  By putting his actual boot drive first, he was able to fix the problem.  I checked my BIOS, and everything seemed okay, but I decided to take things one step further and DISCONNECTED all of my USB drives and the FireWire drive.  So now the only disks attached were the four internal SATA drives.

    My question(s) thus are:

    1.  Why can I enable auto-unlock on all volumes except the one (that happens to contain another Windows 7 family OS)?
    2.  Why can I perform SOME BitLocker tasks like ADDING key protectors to the volume in question, but not others (like enabling auto-unlock or deleting key protectors)?
    3.  Why am I able to perform ALL BitLocker tasks on ALL volumes when I boot to Windows Server 2008 R2?

    Because of my testing, I admit that I had tinkered with group policy, both locally and via domain, including enabling FIPS compliance.  Before I posted this note, I reverted all policy settings back to their defaults and even rebooted for good measure, and also did a gpupdate /force /boot (with another reboot) just to be absolutely certain that the policies were back to their defaults.  This did NOT fix the problem.  I didn't think it would, since the Windows 7 installation and Server 2008 R2 installation utilize the same Active Directory policy, obtained from a Server 2008 R2 domain controller.

    I checked the event logs to see if anything possibly would provide a clue, but I see nothing posted by BitLocker, BDE or FVE.

    Here are two dumps from bcdedit (both taken from Windows 7).  One shows the identifiers (/enum) and the other has names (/v).  Perhaps there is something in here that isn't configured correctly?  I made only one change to this.  I installed Windows 7 first, followed by Server 2008 R2; I ran bcdedit to change the default boot to Windows 7.

    C:\Windows\system32>bcdedit /v

    Windows Boot Manager
    --------------------
    identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device                  partition=\Device\HarddiskVolume1
    description             Windows Boot Manager
    locale                  en-US
    inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default                 {3cc8eb1f-853e-11de-a0f6-93f6b1f3d58c}
    resumeobject            {3cc8eb1e-853e-11de-a0f6-93f6b1f3d58c}
    displayorder            {3cc8eb23-853e-11de-a0f6-93f6b1f3d58c}
                            {3cc8eb1f-853e-11de-a0f6-93f6b1f3d58c}
    toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout                 30

    Windows Boot Loader
    -------------------
    identifier              {3cc8eb23-853e-11de-a0f6-93f6b1f3d58c}
    device                  partition=D:
    path                    \Windows\system32\winload.exe
    description             Windows Server 2008 R2
    locale                  en-US
    inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoveryenabled         No
    osdevice                partition=D:
    systemroot              \Windows
    resumeobject            {3cc8eb22-853e-11de-a0f6-93f6b1f3d58c}
    nx                      OptOut
    hypervisorlaunchtype    Auto

    Windows Boot Loader
    -------------------
    identifier              {3cc8eb1f-853e-11de-a0f6-93f6b1f3d58c}
    device                  partition=C:
    path                    \Windows\system32\winload.exe
    description             Windows 7
    locale                  en-US
    inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoveryenabled         No
    osdevice                partition=C:
    systemroot              \Windows
    resumeobject            {3cc8eb1e-853e-11de-a0f6-93f6b1f3d58c}
    nx                      OptIn

    C:\Windows\system32>bcdedit /enum

    Windows Boot Manager
    --------------------
    identifier              {bootmgr}
    device                  partition=\Device\HarddiskVolume1
    description             Windows Boot Manager
    locale                  en-US
    inherit                 {globalsettings}
    default                 {current}
    resumeobject            {3cc8eb1e-853e-11de-a0f6-93f6b1f3d58c}
    displayorder            {3cc8eb23-853e-11de-a0f6-93f6b1f3d58c}
                            {current}
    toolsdisplayorder       {memdiag}
    timeout                 30

    Windows Boot Loader
    -------------------
    identifier              {3cc8eb23-853e-11de-a0f6-93f6b1f3d58c}
    device                  partition=D:
    path                    \Windows\system32\winload.exe
    description             Windows Server 2008 R2
    locale                  en-US
    inherit                 {bootloadersettings}
    recoveryenabled         No
    osdevice                partition=D:
    systemroot              \Windows
    resumeobject            {3cc8eb22-853e-11de-a0f6-93f6b1f3d58c}
    nx                      OptOut
    hypervisorlaunchtype    Auto

    Windows Boot Loader
    -------------------
    identifier              {current}
    device                  partition=C:
    path                    \Windows\system32\winload.exe
    description             Windows 7
    locale                  en-US
    inherit                 {bootloadersettings}
    recoveryenabled         No
    osdevice                partition=C:
    systemroot              \Windows
    resumeobject            {3cc8eb1e-853e-11de-a0f6-93f6b1f3d58c}
    nx                      OptIn

    Sorry if this post was so long.  I wanted to be sure I didn't leave anything out.  If you need more detail please let me know!

    Best regards,
    Matt

    Friday, September 4, 2009 2:34 AM