Windows 10: Enable-Bitlocker -TpmProtector via GPO does not work (0x80070522)

Hello,

I am trying to automate the bitlocker in our corporate environment.
I have written a script which enables the bitlocker and it works fine if I run it manually, but whenever I implement it via GPO (startup script) right after

Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector
I see in the transcription following error


Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)

At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31

+ ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: ) [Write-Error], COMException

+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal

Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)

At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31

+ ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: ) [Write-Error], COMException

+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal


I have tried to wrap the PS script with bat file:

powershell.exe -ExecutionPolicy bypass -file "Enable-bitlocker_step2.ps1"

Enable-bitlocker_step2.ps1 script body:

Start-Process Powershell.exe -ArgumentList '-ExecutionPolicy bypass -File "\\**********\SYSVOL\***********\scripts\Enable Bitlocker.ps1"' -Verb RunAs -ErrorAction SilentlyContinue -WarningAction SilentlyContinue


The bitlocker script itself:

Start-Transcript -Path \\Melandru\temp\"$env:COMPUTERNAME.txt"

#get computer capability

$OS_edition = Get-WmiObject -Class win32_operatingSystem

$TPM_info = Get-Tpm

$bitlocker_status = Get-BitLockerVolume C:

$gpo_path = "***********\SYSVOL\***********\Policies\{*******-****-****-****-**********}\"

###Pre-requisites###

#if bitlocker is on and encryption method is XtsAes256 - exit, since nothing to do

if (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -eq "XtsAes256")){

if ((Get-Content "$($gpo_path)\bitlocker_list.txt") -like "*$($env:COMPUTERNAME)*") {Write-output "Bitlocker key already backed up";exit}

else{

$key_protector=(Get-BitLockerVolume C.keyprotector | ?{$_.KeyProtectorType -eq "Recoverypassword"} | select -expandproperty KeyProtectorId

Backup-BitLockerKeyProtector -KeyProtectorId $key_protector -MountPoint C:

exit}

}

#check if encryption/decryption in progress. If so - exit the script

elseif (($bitlocker_status.volumestatus -eq "EncryptionInProgress") -or ($bitlocker_status.volumestatus -eq "DecryptionInProgress")) {Write-output "Bitlocker encryption/decryption in progress";exit}



###define bitlocker functions###

function remove_old_key_protectors {

foreach ($keyprotector in $bitlocker_status.keyprotector){

Remove-BitLockerKeyProtector C: -KeyProtectorId $keyprotector.keyprotectorid

Write-Output "Removed $($keyprotector.keyprotectorid)"

}

Write-Output "Old keys removed"

}

function enable_bitlocker {

#add a new key protector - recovery password

Add-BitLockerKeyProtector -MountPoint C:\ -RecoveryPasswordProtector

Write-Output "Added password key protector"

#enable bitlocker

Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector

Write-Output "Bitlocker enabled"

}

#check tpm chip and OS edition

if (($OS_edition.caption -notlike "*ent*") -or ($TPM_info.TPMPresent -ne $True)){write-output "Not compatible";exit}

#if all checks passed - do the script logic

else {

#Check if bitlocker is enabled and enryption method is not XtsAes256. If so - disable bitlocker

If (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -ne "XtsAes256")) {

Write-Output "Disabling bitlocker"

Disable-BitLocker C:


}

Elseif ($bitlocker_status.protectionstatus -eq "Off"){

#check if there's an old protection key and remove it

if ($bitlocker_status.keyprotector -ne $null) {

Write-Output "Removing old keys"

remove_old_key_protectors

}

Write-Output "Enabling Bitlocker XtsAes256"

enable_bitlocker

}

}

Stop-Transcript -ErrorAction SilentlyContinue


The thing is if i simply run bat file manually from a computer - I have bitlocker enabled, but if I add bat script to Computer Configuration->Policies->Windows Settings->Scripts(Startup/Shutdown)->Startup
I see the error mentioned above. Any help appreciated

:)

 

Enabling Bitlocker with GPO


Once the GPO for BitLocker's settings have been configured and assigned do I still need to manually enable Bitlocker on the specific device or should the GPO kick off the process automatically?

 

BitLocker refuses to enable

SarahKong: Inserting a flash drive would help if I could at least get past the error that the GPO isn't set. Step 1 (Enable BitLocker) in the article you specified is where my issue lies ... I can't even turn on BitLocker. Step 3 is where the flash drive
would come into play, but I can't get past step 1.

Andrea Da Costa: We don't set these GPOs in our domain, and I've tried gpupdate /force and a reboot to no effect.

 

BitLocker won't enable on Windows 10 after update on Aug 9

Hi Brenda,

I would be happy to assist you.

Before I assist you I would like to know the information below,

• 
  Do you have a Windows 10 copy of the operating system?
  

I suggest you check whether the Bit locker is ON or OFF using the steps below.

Can you verify if BitLocker is enabled or disabled on your device? You can Enable/disable BitLocker by going to Desktop and follow these steps:

• 
  Swipe Right to Left to bring up the Charm.
  
• 
  Choose Settings.
  
• 
  Choose Control Panel.
  
• 
  Select BitLocker Drive Encryption.
  
• 
  Verify whether BitLocker is on or off on each device.
  

Also I suggest you to enable the WinRE so that you can enter the bit locker key and proceed.

When WinRE is disabled, you cannot enable BitLocker, and you receive an error message that resembles the following.

This PC doesn't support entering a BitLocker recovery password during startup. Ask your administrator to configure Windows Recovery Environment so that you can use BitLocker.

The solution would be to manually enable the windows recovery environment:

• 
  Copying the winre.wim file from c:\windows\system32\recovery\ to a folder on a recovery partition. (The partition need to have a drive letter at this point.)
  
• 
  Set the RE Image path. Example: reagentc /setreimage /path r:\recovery\windowsre
  
• 
  Enable RE with command: reagentc /enable
  
• 
  (You may remove the drive letter for the recovery partition after you have done this.)
  
• 
  Bit locker will be enabled.
  

If the issue still persists, suggest you to post your query on the below link.

https://technet.microsoft.com/en-us/library/hh831507(v=ws.11).aspx

Hope this information was helpful and do let us know if you need further assistance. We will be glad to assist.

Thank you.