In my previous post, I explained how to enable BitLocker with PowerShell and how to unlock, suspend, resume, and disable BitLocker with PowerShell. You might face various errors while using BitLocker drive encryption. Since most errors are fixed using Group Policy settings, it is worth mentioning that all the BitLocker-related settings are available under the following Group Policy path:
Latest posts by Surender Kumar (see all)

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

Let's discuss some BitLocker errors and how to fix them.

Error 0x8028400F: TPM cannot be found ^

Set-BitLockerVolumeInternal : A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer.

A compatible Trusted Platform Module TPM Security Device cannot be found on this computer

A compatible Trusted Platform Module TPM Security Device cannot be found on this computer

Cause

By default, Windows uses TPM as a key protector. When you try to use a key protector other than TPM, you get this error. The error usually occurs when your computer does not have supported TPM hardware, but you still decide to use BitLocker drive encryption anyway.

Resolution

To fix this error, you need to use a Group Policy setting to override the default behavior. To do so, follow these steps:

Open the Group Policy editor. Either the local or domain group policy will work.

Navigate to the path under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Locate the setting named Require additional authentication at startup.

BitLocker Require additional authentication at startup

BitLocker Require additional authentication at startup

Now enable both this Group Policy setting and the checkbox that says Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). See the screenshot for reference:

Allow BitLocker without a compatible TPM requires a password or a startup key on a USB flash drive

Allow BitLocker without a compatible TPM requires a password or a startup key on a USB flash drive

Once this is done, you can use a password or startup key as a key protector on the Windows volume.

If your computer has TPM hardware but you still decide to use a key protector other than TPM, you could get either of the following error messages:

Add-PasswordProtectorInternal : Group Policy settings do not permit the use of a PIN at startup.

Add-PasswordProtectorInternal : Group Policy settings do not permit the creation of a password.

Group Policy settings do not permit the creation of a password

Group Policy settings do not permit the creation of a password

You can use the Group Policy settings mentioned above to fix both errors.

Error 0x80310068: PIN length not met ^

Add-TpmAndPinProtectorInternal : The PIN provided does not meet minimum or maximum length requirements.

The PIN provided does not meet minimum or maximum length requirements

The PIN provided does not meet minimum or maximum length requirements

Cause

On modern versions of Windows (Windows 10 version 1703+ or Windows 11), BitLocker doesn't like a PIN shorter than 6 digits (or characters if enhanced PINs are enabled). When you try to use a shorter PIN, you get this error.

Resolution

You can get around this error by simply using a PIN containing six or more characters. By the way, the PIN length is configurable via Group Policy. To configure the TPM startup PIN length in your environment, do the following:

Open the Group Policy editor. Either the local or the domain Group Policy will do.

Navigate to the path under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Locate the Group Policy setting named Configure minimum PIN length for startup.

Now enable this policy and configure a PIN length as per your organization's security requirements. See the screenshot below for reference.

Configure the minimum PIN length for startup

Configure the minimum PIN length for startup

Error 0x803100CC: PIN is alphanumeric ^

Add-TpmAndPinProtectorInternal : Your PIN can only contain numbers from 0 to 9.

Your PIN can only contain numbers from 0 to 9

Your PIN can only contain numbers from 0 to 9

Cause

This error occurs when you try to use an alphanumeric PIN along with a TPM key protector. I would say that this error is a bit misleading, though, because it doesn't mean you can't use an alphanumeric TPM startup PIN.

Resolution

If your organization's policy enforces the use of a secure startup PIN containing numbers, characters, and symbols, you can use Group Policy to enable enhanced PINs (as Microsoft calls it). To do so, enable the Group Policy setting called Allow enhanced PINs for startup, which is available under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Allow enhanced PINs for startup

Allow enhanced PINs for startup

Once this policy is enabled, you will be able to use a complex startup PIN for BitLocker drive encryption on an OS volume. Note that not every computer supports enhanced PINs in a preboot environment, so it is strongly recommended that you perform a system check during the BitLocker setup process.

Error 0x8031003A: Key protector cannot be used ^

When you try to save a key protector for a BitLocker to volume in Active Directory, you might receive this error message.

Backup-BitLockerKeyProtector : Backup-BitLockerKeyProtector : The key protector specified cannot be used for this operation.

Backup BitLockerKeyProtector The key protector specified cannot be used for this operation

Backup BitLockerKeyProtector The key protector specified cannot be used for this operation

Cause

This error occurs when you specify an unsupported or wrong key protector ID while using the Backup-BitLockerKeyProtector cmdlet. This cmdlet can only back up a recovery password key protector in Active Directory. If your encrypted drive does not use a recovery password or you accidently specify the wrong key protector ID, this error is likely to occur.

Resolution

To understand the reason for this error, let's first view the key protectors for a Windows volume using this command:

(Get-BitLockerVolume -MountPoint "C").KeyProtector
View the key protectors for a BitLocker volume using PowerShell

View the key protectors for a BitLocker volume using PowerShell

As you can see in the screenshot above, the BitLocker volume is using only the TPM+PIN protector. Remember, key protectors are stored as an array. So the original error that we are discussing here is actually caused because there is no key protector at the KeyProtector[1] array index.

To fix this error, we need to add a recovery password protector to the encrypted volume using a command like this:

Add-BitLockerKeyProtector -MountPoint "C" -RecoveryPasswordProtector
Add a recovery password to a BitLocker volume using PowerShell

Add a recovery password to a BitLocker volume using PowerShell

You can see in the screenshot above that the recovery password is now added as an additional key protector, which is accessible using the KeyProtector[1] array notation. Now, you can back up the recovery password to Active Directory using this command:

Backup-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId $BVol.KeyProtector[1].KeyProtectorId

Error: Storing recovering information in Active Directory fails ^

Backup-BitLockerKeyProtector : Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.

Group policy does not permit the storage of recovery information to Active Directory

Group policy does not permit the storage of recovery information to Active Directory

Cause

The error occurred because, by default, Group Policy doesn't allow you to store BitLocker recovery information in Active Directory.

Resolution

To fix this error, do the following:

  1. Open the Group Policy editor.
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
  3. If you are trying to back up the recovery information of an operating system volume, select the Operating System Drives folder in Group Policy. If you're backing up the information of a data drive, select the Fixed Data Drives folder.
  4. After selecting the right folder, as suggested above, enable the Group Policy named Choose how BitLocker-protected operating system drives can be recovered.
  5. Make sure you enable the options shown in the screenshot:
Choose how BitLocker protected operating system drives can be recovered

Choose how BitLocker protected operating system drives can be recovered

If you're under the Fixed Data Drives folder, the setting will be called Choose how BitLocker-protected fixed drives can be recovered instead. Once this setting is enabled, you will be able to back up the recovery information in AD.

Conclusion ^

It is hard to cover every possible error in a single article. Thus, this post covers only the most common errors. If you get an error that isn't covered in this post, don't hesitate to leave a comment, and I will try my best to provide a solution.

5 Comments
  1. Gerry Wisnoski 2 weeks ago

    My friend has a laptop that developed a problem with one of the USB-C ports. It had a maintenance contract so the manufacturer sent out a support tech to swap out the system board. BitLocker was running so the tech appropriately disabled BitLocker to move the existing disk drive to the new system board. It seems the tech did not wait for the BitLocker Disable to complete before powering down to remove the disk and move it. Now in the refurbished laptop with the new system board Windows seems to run OK but BitLocker is “broken”. It will not complete the Disable and it will not Enable. The manufacturer is at a loss. Is there any hope? Thanks for your help.

    • Author
      Surender Kumar 2 weeks ago

      Can you share a bit more information like what key protectors were being used when BitLocker was working? What error do you get when trying to enable or disable it again? Error screenshots will be really helpful.

  2. Gerry Wisnoski 2 weeks ago

    Mystery Solved. This laptop runs Windows 11 HOME which does not support Bitlocker. The confusion was caused by the tech leaving and giving my friend instructions about re-enabling “Bitlocker”. What’s really sad is that over the past 3 weeks this has gone up the support chain to a regional manager. The actual problem is that TPM was not enabled on the new system board so device encryption cannot work. I figured this out today when I was able to examine the laptop myself for the first time. Problem solved.

    avatar
  3. Mike Hufnagle 2 weeks ago

    > Storing recovering information in Active Directory fails

    As a sidenote, if your environment is still very old (Read 2008 R2 DCs) there are scripts that are required to be run to create the various objects and ACLs for storing the bitlocker keys in AD. Microsoft used to provide these scripts on their articles, but it’s getting harder and harder to find these old vbs scripts that perform these steps. Not that anyone should still be running 2008 R2 nowadays, but it’s worth noting that this will stop keys from backing up.

    The dumbest bitlocker-related error we used to see was “This PC doesn’t support entering a bitlocker recovery password during startup”. Fix is to do an admin cmd prompt and run “Reagentc.exe /enable” then attempt to bitlocker again. Related to that are “The system cannot find the FILE specified” which means “delete C:\Windows\System32\Recovery\ReAgent.xml and try to enable bitlocker again” or “The system cannot find the PATH specified” which means “Ensure that a folder called ‘Recovery’ exists in C:\Windows\System32\”

    On some really old HP 810’s we also had to do some weird stuff when trying to update firmware:

    Case: Bitlocker is OFF, and when trying to update the TPM firmware you get prompted for an Owner password. Owner Password is a legacy key that is no longer in use. Trying to clear TPM from within Windows doesn’t work as expected. You can clear the “TPM Owner” before updating TPM firmware as follows:

    Run Command Prompt as Administrator and run the following lines:

    reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4

    WMIC /namespace:\\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH=”Win32_Tpm=@” Call SetPhysicalPresenceRequest 14

    Then reboot.

    You may also have to set a bios setting to allow Windows to adjust TPM password before doing these changes.

    avatar

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account