This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 78%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Hi,
I am trying to enable Bitlocker on Windows 10 /11 using command prompt /PowerShell.
Following GPO setting exists on both Windows 10 and Windows 11.
Method 1:
Add-BitLockerKeyProtector -MountPoint C: -PIN ('123123' | ConvertTo-SecureString -AsPlainText -Force) -TpmAndPinProtector
manage-bde.exe -protectors -enable C:
This works fines on offline account but NOT worked if a user is log-in using MS Account (which is default on Windows 11).
Method 2:
$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
This example is taken from web (source: https://lazyadmin.nl/it/enable-bitlocker-windows-10/).
But this didn't worked as well, see below error message.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Your status says "encryption in progress", so it's clear that you cannot turn on Bitlocker once more - could that be the simple reason?
This is something I need to understand ...why.
As said in the first post, I have no issues when I am using offline account. However, as soon as I am login as MS Account, Windows tries to encrypt itself (some soft of auto-encryption or something, I am not sure).
Is it normal with MS Account?
Not possible to have unattened solution to enable Bitlocker even on MS Account?
When either an MS account is used (and all hardware requirements are fulfilled [TPM active, modern standby possible]), the device is encrypted automatically, yes.
Look at the BL- and device encryption policies whether you can forbid this.
Sorry, I don't use MS accounts on bitlocked machines.
Ahh, thanks for confirming that Bitlocker works "differently" with MS Account(s).
With Windows 11, we are forced to use MS Account (during OOBE) and I am challenged as the above mentioned methods are not more working.
When win11 setup comes to the point where it asks questions, just press Shift F10 ->a command line opens. There, launch
oobe /bypassnro
This will restart setup WITHOUT the need to be online or create an MS account.
Seems like sooner or later have to switch to MS Accounts any how, so I will be looking to adapt a method that should work with MS Accounts.
Regarding your trick to bypass MS Account give me error (anyhow), but that's not important, as MS Account will be area of interest for me.
Sorry, typo. Correct would be:
oobe\bypassnro
Thanks, tried it now and it didn't suppress the need of MS Account, rather asked to give a PC name of choice.
Anyhow, now this is not important to skip the MS account, rather how to work with MS account.
For Win11 22H2, oobe\bypassnro is the only way to escape from being forced into using an MS account.
See https://www.elevenforum.com/t/what-is-oobe-bypassnro.5011/
After you configure the computername and so on, you will be able to choose "I don't have internet", which would not even be available without bypassnro.
About your real problem:
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
Value: PreventDeviceEncryption equal to True (1)
Type: REG_DWORD
Yeah, that would be appealing or at least will need a try to check it out.
Would like to ask about the suggestion /recommended /best practices in the following case:
Do you think it will be considered as best practice in production?
Hi @~OSD~
Try a minimum length of 6 digits.
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.
Configure minimum PIN length for startup
-----------------------------------
If this is helpful please accept answer.
Already tried with 6 digit PIN and didn't worked as expected.
Here is the result:
Don't just quote the error but please include the command as well.
Please add the output of these batch commands:
manage-bde -protectors c: -add -tp
manage-bde -on c: -used -s -em aes256 -rp
See below:
I know why.
"123456" is a forbidden PIN, because it's trivial.
I replaced the original PIN with 123456 (as example of 6 digit PIN). Actual PIN was different.
Ok, please use the commands I gave you before:
manage-bde -protectors c: -add -tp
manage-bde -on c: -used -s -em aes256 -rp
What errors do these show (if any)?
Thanks for reply.
(My goal is to enable BitLocker completely "unattend" /without user intervention, but your suggested commands prompt user to enter the PIN.
Let's discuss it later, but here is the result of your suggestion, as step-by-step.
22H2 (Administrator).
