Group Policy Conflict When Turning On Bitlocker if it's Previously Been Used
I turned on Bitlocker in my Win7 x64 several months ago and used it flawlessly. I had configured it to use TPM+PIN and everything worked perfectly. The only group policy change I made myself was to set the "Require additional authentication at
startup" to "Require startup PIN with TPM".
Then about a month ago I was told my organization was switching to another enterprise encryption product - so in preparation of the switch, I went to Control Panel - Bitlocker Drive Encryption - and clicked Turn Off Bitlocker. Bitlocker decrypted the
drive and everything worked perfectly.
But now here comes my problem. It turns out that the enterprise encryption product my organization is switching to, doesn't yet have an x64 compatible client. This means I need to go *back* to Bitlocker.. so I went back to Control Panel
- Bitlocker Drive Encryption - and clicked Turn On Bitlocker (for C-drive). Almost instantly on the Starting Bitlocker dialog, I get the error:
"The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information."
I cannot for the life of me figure out which group policies are conflicting. I changed the "Require additional authentication at startup" to "Not Configured" but it didn't make any difference. I have verified that *every* policy under the Bitlocker
Drive Encryption folder is set to "Not configured".
I even tried setting Computer Configuration - Administrative Templates - System - Power Management - Sleep Settings :
Allow Standby States (S1-S3) When Sleeping (Plugged In)
Allow Standby States (S1-S3) When Sleeping (On Battery)
'both to Disabled because I'd read somewhere those could cause conflicts. It didn't make any difference.
just as a fyi, manage-bde -status currently shows:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]
Size: 465.66 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Key Protectors: None Found
Any help would be greatly appreciated-
Thanks-
August 18th, 2010 4:46pm
Hi,
Thanks for the post!
Please run cmd, input “gpresult -v > D:\gpresult.txt”, then find
this file in D disk, compare the group policies with here:
http://windows.microsoft.com/en-US/windows7/What-Group-Policy-settings-are-used-with-BitLocker. Then you can find which group policy is changed, you can change it back.
Hope it helps!
Regards,
Miya YaoThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer
your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2010 11:59am
I have a similar problem. No answers from MSFT, only run of the mill responses from support that have been worthless and full of product arrogance.
Try this:
manage-bde.exe -protectors -delete c: -type tpm
It should rid the group policy errors. Then you can readd the TPM + PIN
August 20th, 2010 8:56pm
Thanks for the reply, but all the settings listed in that link are set to their default value.
Is it possible one actually should not be set to the default (Not Configured)?
Thanks-
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2010 6:26am
Thanks for the info, but I actually have already deleted all the protectors. In my first post I included the output from the manage-bde -status and it shows Key Protectors = None.. (so there's nothing to delete).
Any other ideas?
This is driving me nuts. :(
Thanks-
August 24th, 2010 6:28am
OK maybe I spoke too soon. Deleting the TPM did return an error saying no protectors found, but after I (prematurely) replied I went ahead and tried to restart Bitlocker anyway.. and to my surprise it fired up and let me start encrypting the
drive!
So maybe it reset something even though it didn't delete the TPM protector.. ? At this point I don't even care - I'm just glad it's working again. :)
Thank you very much-
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2010 4:45pm
Hey kenneth_scott,
Do you mind me asking what gpo settings you have for bitlocker that got you working with TPM+PIN? Because I am having the exact same error come up in my log when i try enable bitlocker TPM+PIN using the EnableBitLocker.vbs I got from MS
TechNet.
I tried the command LongShort mentioned earlier in this thread, restarted my machine and still no dice. Thanks.
January 25th, 2011 6:57pm
I wanted to add the command i am running from command prompt as administrator
Cscript EnableBitLocker.vbs /on:tp /l:c:\windows\options\sms\enablebitlocker.log /rk /promptuser /sms
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 7:17pm