Windows 10: Enabling factory-encrypted TPM protector using manage-bde breaks boot until secure boot is...

I'm investigating an issue with enabling Bitlocker protectors on a device that was encrypted from the factory. If I use the GUI to enable the protectors, it works fine, but if I use manage-bde, it will fail to find the boot device until I disable secure boot. This does not happen with devices that were not encrypted to begin with.

:)

 

Including Bitlocker Pre-Provisioning


Hi @Kari,

That was an awesome Tutorial, exactly what I've been looking for !

I have been doing a bit of experimenting and found that a slight modification to your procedure can be used to pre-provision Bitlocker encryption, as long as the machine has a TPM chip present and activated on the motherboard. This pre-provisioning, if successful, could save a few hours as compared to configuring it post-install.
Note: all of the following worked on Win 10 Enterprise x64 1709 on both an old Laptop (non-UEFI, non-Secure Boot e.g. a 10 year old Dell Latitude E4200 ) and a modern desktop (Dell Optiplex 5040 w UEFI and Secure Boot).
All that's needed is to insert a step between 2.6 and 2.7 which would check if the destination drive is encryptable, and, if it is then enable encryption of used space. Because the 'used space' at that point is almost zero it gets encrypted almost instantaneously. But, because the drive is now encrypted, anything that DISM adds to the drive gets encrypted on the fly ! End result is that when the installation is finished the drive is encrypted with Bitlocker and just needs a 'protector' (e.g. TPM and PIN) added ..

Here's what worked for me ....
- just after step 2.6, check that G: drive is actually encryptable (this also checks the BIOS, TPM activated etc.)
run command 'manage-bde -status' (if that lists the volume as encryptable, then we're good to go to next ..)
run command 'manage-bde -on G: -used' (that turns on bitlocker for the drive, and should finish after a few seconds ...... just wait a few seconds and verify that another 'manage-bde -status' now shows 100%)
- .. now proceed to step 2.7

At the end of the installation and after first bootup and logon you should see a little yellow triangle as well as an unlock icon on the drive, showing it's encrypted but with a 'clear protector' ...... then just need to add a protector, like TPM and PIN e.g. 'manage-bde -protectors -add c: -TPMAndPIN' where you will be prompted for PIN, and if all goes well, will be prompted to enter PIN in order for machine to boot up.

 

BitLocker not requiring password at boot. (Without TPM)


It should require TPM or USB or password/PIN.

What does powershell command manage-bde -status c: say? Code:

Code:

PS C:\WINDOWS\system32> manage-bde -status c:  BitLocker Drive Encryption: Configuration Tool version 10.0.15063  Copyright (C) 2013 Microsoft Corporation. All rights reserved.    Volume C: []  [OS Volume]        Size:                 64.00 GB      BitLocker Version:    2.0      Conversion Status:    Used Space Only Encrypted      Percentage Encrypted: 100.0%      Encryption Method:    XTS-AES 128      Protection Status:    Protection On      Lock Status:          Unlocked      Identification Field: Unknown      Key Protectors:          TPM          Numerical Password    PS C:\WINDOWS\system32>

 

BitLocker key protector management help


Seeking BitLocker help:

Win10 machine with TPM.
OS drive was successfully encrypted with "TPM & PIN" additional key protection.
Now I'm hoping to drop back to "just TPM" with no additional PIN protection without having to decrypt and re-encrypt. (note: the reason is so that updates will reboot back to windows login and leave this base station machine accessible by Remote (RDP) but the reason is not what I want to discuss)

I haven't found how to do it yet and don't know whether to concentrate on the "manage-bde" commands or gpupdate or both to find the answer. None of the local bitlocker policies are enabled (but the machine is in an AD domain.) If I try the following:
manage-bde -protectors -delete C: -Type TPMAndPIN
(within an admin cmd prompt) I get:
"ERROR: An error occurred while deleting the key protector.
Group Policy settings require the use of a PIN at startup. Please choose this Bitlocker startup option."

Is there a way I can check what the domain admin is requiring? I forget how to check the broader group policies on Win10.
Thanks!