This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 54%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOD%3C/text%3E%3C/svg%3E)
Hello,
I use MBAM server.
client version mbam 2.5 sp1 and os are windows 10 1909 enterprise.
OS drive successfully encrypted automatically . I have problem with fixed drive. Fixed drive encryption can not start automatically.
My fixed drive GPO:
choose how BitLocker-protected fixed drives can be recovered Enabled
Allow data recovery agent Enabled
Omit recovery options from the BitLocker setup wizard Enabled
Save BitLocker recovery information to AD DS for fixed data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Disabled
Configure use of passwords for fixed data drives Disabled
Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for fixed drives. This grace period begins only after the operating system drive compliance is detected: 0
Fixed data drive encryption settings Enabled
Configure Auto-Unlock for fixed data drive: Allow Auto-Unlock
When I check gpo from client , I can see only "choose how BitLocker-protected fixed drives can be recovered" and "Configure Auto-Unlock for fixed data drive:" settings .
Hi,
Might try using the following command in the elevated command prompt to refresh client GPO settings so they can be applied on clients:
gpupdate /force
then reboot.
Best regards.
**
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I checked gpo , it works well. I have still fixed drive problem.
Hi,
please check out this thread with similar issue which might be helpful:
https://social.technet.microsoft.com/Forums/en-US/04b9db5a-eb1b-4b1f-ab4e-d9b1463372a1/bitlocker-encryption-not-starting-automatically?forum=mdopmbam
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 0%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
You may also want to run gpresult to see what is blocking the policy if everything is correctly configured. Lastly, you may want to see the event log that TPM event-triggered
Hello,
If the policies are correctly configured and linked, it should not take so long to start encrypting. Also, try to compliance the report to determine the encryption status by using any of these commands.
Please check to ensure that the PCs are part of the OU and the BitLocker and MBAM policies are configured correctly.
Saw you also configured auto-unlock. Double-check with these links for your needed BitLocker policies
This last link will also help you in ensuring your policies are correctly configured and aligned.
If these procedures helped you in any way, please click on "It solved my problem" and also mark it as an answer, so you can help other users.
Did you try it for fixed driver? auto ency. can not start for fixed driver
Hello,
It is the policy you are using. I have tested this for OS and fixed data drive and it works. It will require you to log on to the device interactively before encryption of the data drive can succeed.
I see you have auto unlock enabled, you must therefore enable "Configure use of passwords for fixed data drives". If you are using auto-unlock, the policy will not be enforced until the operating system drive is compliant. However, if we are not using auto-unlock, encryption of the fixed data drive can begin before the operating system drive is fully encrypted. Here is a link.
I hope this helps.
Hi OrtacDemirel-7821,
I had to set up MBAM in order to outline the steps for your deployment. I hope this guide helps.
Remember to check MBAM client logs in Event Viewer / Applications. If your GPO is set right, but there is a some problem, you should understand it from those logs.
Exactly my point, I have also suggested this to him and he could additionally use the gpresult to see if there are GPO denials