- Kubernetes CoreDNS - Mon, Dec 4 2023
- Update container images with Copa - Mon, Nov 27 2023
- Deploying stateful applications with Kubernetes StatefulSets - Wed, Nov 1 2023
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
Let's discuss some BitLocker errors and how to fix them.
Error 0x8028400F: TPM cannot be found
Set-BitLockerVolumeInternal : A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer.
Cause
By default, Windows uses TPM as a key protector. When you try to use a key protector other than TPM, you get this error. The error usually occurs when your computer does not have supported TPM hardware, but you still decide to use BitLocker drive encryption anyway.
Resolution
To fix this error, you need to use a Group Policy setting to override the default behavior. To do so, follow these steps:
Open the Group Policy editor. Either the local or domain group policy will work.
Navigate to the path under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Locate the setting named Require additional authentication at startup.
Now enable both this Group Policy setting and the checkbox that says Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). See the screenshot for reference:
Once this is done, you can use a password or startup key as a key protector on the Windows volume.
If your computer has TPM hardware but you still decide to use a key protector other than TPM, you could get either of the following error messages:
Add-PasswordProtectorInternal : Group Policy settings do not permit the use of a PIN at startup.
Add-PasswordProtectorInternal : Group Policy settings do not permit the creation of a password.
You can use the Group Policy settings mentioned above to fix both errors.
Error 0x80310068: PIN length not met
Add-TpmAndPinProtectorInternal : The PIN provided does not meet minimum or maximum length requirements.
Cause
On modern versions of Windows (Windows 10 version 1703+ or Windows 11), BitLocker doesn't like a PIN shorter than 6 digits (or characters if enhanced PINs are enabled). When you try to use a shorter PIN, you get this error.
Resolution
You can get around this error by simply using a PIN containing six or more characters. By the way, the PIN length is configurable via Group Policy. To configure the TPM startup PIN length in your environment, do the following:
Open the Group Policy editor. Either the local or the domain Group Policy will do.
Navigate to the path under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Locate the Group Policy setting named Configure minimum PIN length for startup.
Now enable this policy and configure a PIN length as per your organization's security requirements. See the screenshot below for reference.
Error 0x803100CC: PIN is alphanumeric
Add-TpmAndPinProtectorInternal : Your PIN can only contain numbers from 0 to 9.
Cause
This error occurs when you try to use an alphanumeric PIN along with a TPM key protector. I would say that this error is a bit misleading, though, because it doesn't mean you can't use an alphanumeric TPM startup PIN.
Resolution
If your organization's policy enforces the use of a secure startup PIN containing numbers, characters, and symbols, you can use Group Policy to enable enhanced PINs (as Microsoft calls it). To do so, enable the Group Policy setting called Allow enhanced PINs for startup, which is available under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Once this policy is enabled, you will be able to use a complex startup PIN for BitLocker drive encryption on an OS volume. Note that not every computer supports enhanced PINs in a preboot environment, so it is strongly recommended that you perform a system check during the BitLocker setup process.
Error 0x8031003A: Key protector cannot be used
When you try to save a key protector for a BitLocker to volume in Active Directory, you might receive this error message.
Backup-BitLockerKeyProtector : Backup-BitLockerKeyProtector : The key protector specified cannot be used for this operation.
Cause
This error occurs when you specify an unsupported or wrong key protector ID while using the Backup-BitLockerKeyProtector cmdlet. This cmdlet can only back up a recovery password key protector in Active Directory. If your encrypted drive does not use a recovery password or you accidently specify the wrong key protector ID, this error is likely to occur.
Resolution
To understand the reason for this error, let's first view the key protectors for a Windows volume using this command:
(Get-BitLockerVolume -MountPoint "C").KeyProtector
As you can see in the screenshot above, the BitLocker volume is using only the TPM+PIN protector. Remember, key protectors are stored as an array. So the original error that we are discussing here is actually caused because there is no key protector at the KeyProtector[1] array index.
To fix this error, we need to add a recovery password protector to the encrypted volume using a command like this:
Add-BitLockerKeyProtector -MountPoint "C" -RecoveryPasswordProtector
You can see in the screenshot above that the recovery password is now added as an additional key protector, which is accessible using the KeyProtector[1] array notation. Now, you can back up the recovery password to Active Directory using this command:
Backup-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId $BVol.KeyProtector[1].KeyProtectorId
Error: Storing recovering information in Active Directory fails
Backup-BitLockerKeyProtector : Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.
Cause
The error occurred because, by default, Group Policy doesn't allow you to store BitLocker recovery information in Active Directory.
Resolution
To fix this error, do the following:
- Open the Group Policy editor.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
- If you are trying to back up the recovery information of an operating system volume, select the Operating System Drives folder in Group Policy. If you're backing up the information of a data drive, select the Fixed Data Drives folder.
- After selecting the right folder, as suggested above, enable the Group Policy named Choose how BitLocker-protected operating system drives can be recovered.
- Make sure you enable the options shown in the screenshot:
If you're under the Fixed Data Drives folder, the setting will be called Choose how BitLocker-protected fixed drives can be recovered instead. Once this setting is enabled, you will be able to back up the recovery information in AD.
Conclusion
It is hard to cover every possible error in a single article. Thus, this post covers only the most common errors. If you get an error that isn't covered in this post, don't hesitate to leave a comment, and I will try my best to provide a solution.
My friend has a laptop that developed a problem with one of the USB-C ports. It had a maintenance contract so the manufacturer sent out a support tech to swap out the system board. BitLocker was running so the tech appropriately disabled BitLocker to move the existing disk drive to the new system board. It seems the tech did not wait for the BitLocker Disable to complete before powering down to remove the disk and move it. Now in the refurbished laptop with the new system board Windows seems to run OK but BitLocker is “broken”. It will not complete the Disable and it will not Enable. The manufacturer is at a loss. Is there any hope? Thanks for your help.
Can you share a bit more information like what key protectors were being used when BitLocker was working? What error do you get when trying to enable or disable it again? Error screenshots will be really helpful.
Mystery Solved. This laptop runs Windows 11 HOME which does not support Bitlocker. The confusion was caused by the tech leaving and giving my friend instructions about re-enabling “Bitlocker”. What’s really sad is that over the past 3 weeks this has gone up the support chain to a regional manager. The actual problem is that TPM was not enabled on the new system board so device encryption cannot work. I figured this out today when I was able to examine the laptop myself for the first time. Problem solved.
Good to know you figured this out.
> Storing recovering information in Active Directory fails
As a sidenote, if your environment is still very old (Read 2008 R2 DCs) there are scripts that are required to be run to create the various objects and ACLs for storing the bitlocker keys in AD. Microsoft used to provide these scripts on their articles, but it’s getting harder and harder to find these old vbs scripts that perform these steps. Not that anyone should still be running 2008 R2 nowadays, but it’s worth noting that this will stop keys from backing up.
The dumbest bitlocker-related error we used to see was “This PC doesn’t support entering a bitlocker recovery password during startup”. Fix is to do an admin cmd prompt and run “Reagentc.exe /enable” then attempt to bitlocker again. Related to that are “The system cannot find the FILE specified” which means “delete C:\Windows\System32\Recovery\ReAgent.xml and try to enable bitlocker again” or “The system cannot find the PATH specified” which means “Ensure that a folder called ‘Recovery’ exists in C:\Windows\System32\”
On some really old HP 810’s we also had to do some weird stuff when trying to update firmware:
Case: Bitlocker is OFF, and when trying to update the TPM firmware you get prompted for an Owner password. Owner Password is a legacy key that is no longer in use. Trying to clear TPM from within Windows doesn’t work as expected. You can clear the “TPM Owner” before updating TPM firmware as follows:
Run Command Prompt as Administrator and run the following lines:
reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
WMIC /namespace:\\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH=”Win32_Tpm=@” Call SetPhysicalPresenceRequest 14
Then reboot.
You may also have to set a bios setting to allow Windows to adjust TPM password before doing these changes.