Share via

Bitlocker Event ID 812 - Can't encrypt computers when running from Logon Computer GPO (PS script)

vincent S 0 Reputation points
2023-01-25T09:49:50.3133333+00:00

Hello @ll,

I allow myself to reopen an unresolved topic that we have been facing for several weeks without a solution !

We are using a PS script to encrypt machines automaticly & backup keys to the AD.
The script runs fine as Local Admin. Machines are TPM 2.0 & UEFI , W10 21H1.

Here is the script :

$Disques=Get-PSDrive -PSProvider FileSystem
Foreach ($D in $Disques)
{

    IF ((Get-Volume -DriveLetter $D.Name).DriveType -eq "Fixed")

    {
        IF ((Get-BitLockerVolume $D.Name).ProtectionStatus -eq "off")
        {
            $lettre = $D.Name + ":"
            manage-bde -on $lettre -s -rp

        }
    }

 }

When running as a group policy startup script (Computer GPO) we get a TPM failure:

Bitlocker-API in Event Viewer shows Event ID 812:

"Bitlocker cannot use Secure Boot for integrity because the UEFI variable "SecureBoot" could not be read."

I think NT AUTHORITY\SYSTEM don't have enough right to access to the UEFI variable ?

What I have already tried :

-Clear the rpm
-I tried to put a bios password
-I tried with or without secure boot
-I checked if the bios is in UEFI
-I checked if the TPM is in Ready state
-I added the Local Computer object in the local Admin group
-I tried reducing the script to something simpler "manage-bde -on c: -s -rp" but I got the same error message
-Configure a GPO to delay the startup script or put in the script a Start-Sleep -Seconds 600 within the script itself
-I tried on several different computer models

Any help would be greatly appreciated

Thank you

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,075 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,681 Reputation points
    2023-01-25T16:16:48.3666667+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    According to my research, there are many solution on how to fix this issue. I have linked an article below that may help solve your issue. Here is what exactly the article has to say for the error "BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read."

    Manage-bde -protectors -get c:

    Shows that PCR 7 is NOT in use

    Powershell cmdlet Confirm-SecureBootUEFI returns true

    For the solution:

    manage-bde -protectors c: -delete -t tpm

    manage-bde -protectors c: -add -tpm

    Validate that 7,11 are the PCR used:

    manage-bde -protectors c: -get

    REFERENCE: https://www.reddit.com/r/sysadmin/comments/ldaf7e/bitlocker_cannot_use_secure_boot_for_integrity/

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments
  2. Khaing Linn Htun 0 Reputation points
    2023-09-07T07:02:42.8666667+00:00

    Are you okay for this now? I face with this issues also.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.