BitLocker Error on Windows 10/11 with MS Account

~OSD~ 2,106 Reputation points
2022-11-14T14:21:13.58+00:00

Hi,

I am trying to enable Bitlocker on Windows 10 /11 using command prompt /PowerShell.

Following GPO setting exists on both Windows 10 and Windows 11.

260176-image.png

Method 1:
Add-BitLockerKeyProtector -MountPoint C: -PIN ('123123' | ConvertTo-SecureString -AsPlainText -Force) -TpmAndPinProtector

manage-bde.exe -protectors -enable C:  

This works fines on offline account but NOT worked if a user is log-in using MS Account (which is default on Windows 11).

Method 2:
$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

This example is taken from web (source: https://lazyadmin.nl/it/enable-bitlocker-windows-10/).
But this didn't worked as well, see below error message.
260109-image.png

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,414 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,889 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,728 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
7,914 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. MTG 1,191 Reputation points
    2022-11-16T12:23:22.17+00:00

    Your status says "encryption in progress", so it's clear that you cannot turn on Bitlocker once more - could that be the simple reason?

    1 person found this answer helpful.

  2. Dillon Silzer 54,091 Reputation points
    2022-11-14T16:32:03.867+00:00

    Hi @~OSD~

    Try a minimum length of 6 digits.

    With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.

    Configure minimum PIN length for startup

    https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup

    -----------------------------------

    If this is helpful please accept answer.


  3. MTG 1,191 Reputation points
    2022-11-15T09:39:01.927+00:00

    Don't just quote the error but please include the command as well.
    Please add the output of these batch commands:

    manage-bde -protectors c: -add -tp
    manage-bde -on c: -used -s -em aes256 -rp