BitLocker problem | Event 812

FRETIER PIERRE 5 Reputation points

Hello everyone,

I'm trying to enable BitLocker via GPO.

On Laptops, the GPO works despite a DMA error that I simply correct in the registry editor.

Only on desktop PCs, the GPO does not work.

In the event viewer, I spot event 812:

"BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read.

Error Message: The client does not have a necessary privilege."

However, even with maximum privileges, the disk cannot be encrypted via the GPO.

To anticipate certain questions:

  • TPM is activated and in 2.0.
  • Secure boot enabled
  • Everything works Locally.
  • I have already tried: manage-bde -protectors c: -add -tpm, but without success.
  • The GPO applies to computers in the domain and the Computers are part of the domain (Everything is done on test PCs.).
  • The script works Locally and is separated from the first GPO.
  • The OS is Windows 11.

The only difference I see between laptop and desktop PCs is the kernel DMA protection, it is activated on laptop PCs.

However, I find it illogical not to be able to encrypt the workstation via GPO if the protection is disabled. (not supported by landlines).

There you go, I hope you can give me some clues regarding my problem.

Thanks in advance.

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
6,821 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Wesley Li-MSFT 4,346 Reputation points Microsoft Vendor


    I understand your situation and it can be quite frustrating. Here are some potential solutions and insights that might help:

    Kernel DMA Protection: Kernel DMA Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory. It’s recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides a higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.

    BitLocker Event ID 812: This error typically occurs when BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. One potential solution is to verify the PCR validation profile of the TPM and the secure boot state. You can also try running your script as the system account using an elevated command prompt.

    GPO Not Working on Desktop PCs: If the GPO is not working on desktop PCs, it could be due to a number of reasons. One possibility is that there’s some kind of outdated driver that is not allowed by DMA. You can check which driver it is, update it, and then allow it manually via the registry editor.

    BitLocker and TPM: If TPM is activated and in 2.0, and Secure Boot is enabled, everything should work locally. However, if you’re still encountering issues, you might want to try the command manage-bde -protectors c: -add -tpm again.

    0 comments No comments