can't add recovery protector to system drive (Network Steve Forum)

can't add recovery protector to system drive

I try to use the following command:

manage-bde.exe c: -protectors -add -rp -rk i:\

but get the following result:

Key Protectors Added:

ERROR: An attempt to access a required resource was denied.

Check that you have administrative rights on the computer.

I am the admin.

get same result using the local admin account, or the domain admin account.

TPM is NOT enabled. Changed the policy to use usb drive.

I can use the "wizard" to ecript, although it "asks" for a retry when using the usb drive.

If try to use:

manage-bde.exe -on c: -rp -rk i:\

get the same result as above: An attempt to access .......

May 14th, 2015 1:16pm

Do you have this issue when you encrypt system drive just by using password? If it goes with no problem, there must be offending group policy which prevent you from adding recovery key to usb.

Make sure you run command prompt as administrator.

I found several relevant policies for you (there might be more due to policy conflicts).

Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components |Operating Systems Drives | BitLocker Drive Encryption -> Require Additional Authentication at Startup Chose how bitlocker-protected operating system drives can be recovered. Make sure you allowed system drive could be recovered by using recovery key and allow usb to recover system without TPM.

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Deny write access to removable drives not protected by BitLocker

BitLocker Group Policy Reference

https://technet.microsoft.com/en-us/library/ee706521%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396#BKMK_driveaccess2

Regards,

D. Wu

Free Windows Admin Tool Kit Click here and download it now

May 17th, 2015 7:54pm

Access denials will happen even for a domain admin if you don't start the command prompt elevated. So go and rightclick cmd.exe and select "run as administrator" and retry.

Proposed as answer by MeipoXuMicrosoft contingent staff, Moderator 26 minutes ago

May 26th, 2015 6:15pm

Access denials will happen even for a domain admin if you don't start the command prompt elevated. So go and rightclick cmd.exe and select "run as administrator" and retry.

Proposed as answer by MeipoXuMicrosoft contingent staff, Moderator Wednesday, May 27, 2015 6:56 AM

Free Windows Admin Tool Kit Click here and download it now

May 26th, 2015 10:12pm

This topic is archived. No further replies will be accepted.