Bitlocker Will Not Turn On Windows 10
Olegario Benford
Don't have to use any passwords. You setup your Microsoft account and local. Then you get win10 startup with your choice of pin, face with ir camera, and finger print. You can turn all that off also to log in how you like.
now here comes the problem. You need the bitlocker key if going to do any resets or restoring from any backups. They are locked to your Microsoft account. That key will let you back in that drive or anyother drive you have bitlocked..
If you have done any hardware-level changes with your computer as mentioned below, I would suggest you to revert back the change, it will allow you to start your Windows. So that, you can turn off Bitlocker or you can take backup the key (If you want to keep Bitlocker):
@Ozo123123 if there was no key in your MS account, then the only choice is to reset the computer. Please make a bootable rescue USB and backup your data. After that, reinstall the OS from a bootable USB.
Hello,
I've read through all the material I can. I am struggling to understand what is supposed to happen when you have Bitlocker settings enabled for the system drive.
Here is our situation. We are not joining the computers to a domain and users do not have a microsoft account. When they log into windows GCPW gives them a standard user account. On my two test machines despite having the settings enabled nothing happens regarding Bitlocker. Coming from a domain encironment I am already fairly familiar with Bitlocker so I assume this is because there is nowhere to store the recovery key and likely because they are not an administrative user.
Should we just be enabling Bitlocker using the local admin account before distributing the computer?
Will it report in the admin console correctly if it is done this way?
What is everyone else doing in regards to Bitlocker?
If you are not seeing this, can you verify that the device is successfully enrolled with advanced Windows management? You can check if device is enrolled from the settings app. You can also create logs and look at bitlocker value. -us/windows/client-management/mdm-collect-logs
Would it prompt them if they are a standard user? Standard users normally can't enable bitlocker. I have an open ticket with support and am waiting to see what they say. In the meantime I added a second test computer, same behavior. Nothing happens all other policies seem to be working.
Ah that could be the problem. Just looking into Microsoft's documentation, there seems to be new settings enabled in the OS that can make this possible. Can you use Custom settings section of Admin console to enable these settings in addition to the bitlocker settings?
I don't mind turning bitlocker on with the local administrator account. However, on my test machine when I enable bitlocker with the local administrator account, the admin console still reports that the device is unencrypted.
From what I can tell If you enable bitlocker before enrolling the device to a user the admin portal will never correctly report the device as encrypted. This creates a catch 22. You have to enroll the device before the user gets it to enable bitlocker.
The policies you listed state that they are only for Azure Active Directory Joined devices.
the local Admin account, which is censused in the Admin console in the GCPW settings, have to enable Bitlocker manually and save elsewhere the recovery key.
The key can't be stored on the same drive, but a GDrive-enabled folder (Google Drive for Desktop) does the trick.
You must also establish a key protector. BitLocker uses a key protector to encrypt the volumeencryption key. When a user accesses a BitLocker encrypted drive, such as when starting a computer,BitLocker requests the relevant key protector. For example, the user can enter a PIN or provide aUSB drive that contains a key. BitLocker decrypts the encryption key and uses it to read data fromthe drive. You can use one of the following methods or combinations of methods for a key protector:
Trusted Platform Module (TPM): BitLocker uses the computer's TPM to protect the encryptionkey. If you select this key protector, users can access the encrypted drive as long as it isconnected to the system board that hosts the TPM and system boot integrity is intact. In general,TPM-based protectors can only be associated to an operating system volume.
TPM and Personal Identification Number (PIN): BitLocker uses a combination of the TPM and auser-supplied PIN. A PIN is four to twenty digits or, if you allow enhanced PINs, is four totwenty letters, symbols, spaces, or numbers.
For a password or PIN key protector, specify a secure string. You can use theConvertTo-SecureString cmdlet to create a secure string. You can use secure strings in a scriptand still maintain confidentiality of passwords.
We strongly recommend specifying the encryption method. By default, BitLocker uses XTS-AES-128. Youcan opt XTS-AES-256 for stronger security. However, if you are encrypting a removable media andintend to use it on Windows 8.1 or Windows Server 2012 R2, you must opt either AES-128 or AES-256for backward compatibility. You may request hardware encryption but we strongly adviseagainst it. For further guidance, see theADV180028 Security Advisory.
This cmdlet returns a BitLocker volume object. If you choose recovery password as your key protectorbut do not specify a 48-digit recovery password, this cmdlet generates a random one for you, andstores it in the RecoveryPassword field of the KeyProtector attribute of the BitLockervolume object.
If you use startup key or recovery key as part of your key protector, provide a path to store thekey. This cmdlet stores the name of the file that contains the key in the KeyFileName field ofthe KeyProtector field in the BitLocker volume object.
If you use the Enable-BitLocker cmdlet on an encrypted volume or on a volume withencryption in process, it takes no action. If you use the cmdlet on a drive that has encryptionpaused, it resumes encryption on the volume.
It is common practice to add a recovery password for an operating system volume using theAdd-BitLockerKeyProtector cmdlet, save the recovery password using theBackup-BitLockerKeyProtector cmdlet, and then enable BitLocker on that volume. This procedureensures that you have a recovery option.
The first command uses the ConvertTo-SecureString cmdlet to create a secure string that contains a PIN and saves that string in the $SecureString variable.For more information about the ConvertTo-SecureString cmdlet, type Get-Help ConvertTo-SecureString.
The second command enables BitLocker encryption for the BitLocker volume that has the drive letter C:.The cmdlet specifies an encryption algorithm and the PIN saved in the $SecureString variable.The command also specifies that this volume uses a combination of the TPM and the PIN as key protector.The command also specifies to encrypt the used space data on the disk, instead of the entire volume.When the system writes data to the volume in the future, that data is encrypted.
This command gets all the BitLocker volumes for the current computer and passes pipes them to the Enable-BitLocker cmdlet by using the pipe operator.This cmdlet specifies an encryption algorithm for the volume or volumes.This cmdlet specifies a path to a folder where the randomly generated recovery key will be stored and indicates that these volumes use a recovery key as a key protector.
This command encrypts the BitLocker volume specified by the MountPoint parameter, and uses the AES 128 encryption method.The command also specifies an account and specifies that BitLocker uses user credentials as a key protector.When a user accesses this volume, BitLocker prompts for credentials for the user account Western\SarahJones.
Specifies an array of drive letters or BitLocker volume objects.This cmdlet enables protection for the volumes specified.To obtain a BitLocker volume object, use the Get-BitLockerVolume cmdlet.
Specifies a recovery password.If you do not specify this parameter, but you do include the RecoveryPasswordProtector parameter, the cmdlet creates a random password.You can enter a 48-digit password.The password specified or created acts as a protector for the volume encryption key.
Indicates that BitLocker does not perform a hardware test before it begins encryption.BitLocker uses a hardware test as a dry run to make sure that all the key protectors are correctly set up and that the computer can start without issues.
We are in the process of rolling out Cortex XDR to our organization. I saw the new BItlocker status screen/policies.
I'm struggling to understand if I can enable Bitlocker with this policy, or if this is just a way to ensure the devices are complaint with the way we want Bitlocker configured? We were previously using our AV company's encryption product so we will be switching to Bitlocker, so I wasn't sure if I can enable it through Cortex or if I need to use Intune or GPO.
I have not tried to enable this yet. I will try to get access to a lab to verify; however, it is my understanding that this is needed to allow the agent to access the encryption recovery key backup. Please give me through the end of the week to secure an environment to test.
I spoke with the Product Manager responsible for the Bitlocker feature this morning. The prerequisite list is accurate and anything listed must be set up / enabled before taking advantage of the feature. The PM also recommended that two profiles (as well as two policy rules) be created to use this feature. The first one is an encrypt profile to encrypt the drive(s). The second profile should be a decrypt profile to decrypt the drives. If you need to decrypt an encrypted drive, you would then add that machine to a policy with decrypt profile.
d3342ee215