Win11 enable bitlocker pin with powershell

Marco Müller 0 Reputation points
2024-03-27T13:23:20.4533333+00:00

Hello,

on a newly installed Windows 11 I try to setup bitlocker using Powershell (to automate it further down the line)

Add-BitLockerKeyProtector C: -RecoveryPasswordProtector
Enable-Bitlocker c: -TpmAndPinProtector ....

results in an error 0x80310060 a group policy is permitting these setting.

I did NOT touch any groups policies! The device is NOT joined to a domain.

If I use the GUI-way I am able to activate bitlocker with TPM and PIN.

What do I have to do to get this fixed? Preferably without touching GPOs

Regards

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,168 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dharahas Goud 5 Reputation points
    2024-03-27T13:37:33.6466667+00:00

    To enable BitLocker with a PIN using PowerShell in Windows 11, follow these steps:

    1. Launch an elevated PowerShell console (Run as Administrator).
    2. To view the available BitLocker commands, run the following command: 
      
   Get-Command -Module BitLocker
      If you don't see any output, it's likely because you're running it on a Windows Server OS. Note that BitLocker is installed by default on client operating systems like Windows 10 and Windows 11. However, if you want to use BitLocker on a Windows Server, you need to manually enable it using this PowerShell command: 
      
   Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
      This command installs BitLocker (including all subfeatures and management tools) and then restarts the server to complete the installation.
    3. To get information about the volumes (or drives) that BitLocker can protect on your computer, use: 
      
   Get-BitLockerVolume
      By default, this command displays useful properties for all volumes. You can specify a particular volume using the -MountPoint parameter. For example, to view the status of only the C: drive, use: 
      
   Get-BitLockerVolume -MountPoint "C:"
    4. To enable BitLocker with a PIN, use the following command (replace the PIN with your desired value): 
      
   $Pin = ConvertTo-SecureString "YourPINHere" -AsPlainText -Force

   Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly
      Make sure to replace "YourPINHere" with your actual PIN. This command will enable BitLocker encryption on the C: drive using both TPM and a PIN for key protection.
    0 comments
  2. Marco Müller 0 Reputation points
    2024-03-28T06:50:35.1533333+00:00

    Hello,

    I use these commands on Win 10 since years without problems.

    Only at Windows 11 I got this GPO error. Without ever touching a GPO!!!!

    Enable-BitLocker C: -EncryptionMethod XtsAes256 -TpmAndPinProtector -pin $pin -SkipHardwareTest
Add-TpmAndPinProtectorInternal : Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.
(Exception from HRESULT: 0x80310060)
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2099 char:31
+ ...   $Result = Add-TpmAndPinProtectorInternal $BitLockerVolumeInternal.M ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	+ CategoryInfo          : NotSpecified: (:) [Write-Error], COMException

    The problem seems to be with the Win 11 PowerShell command. Why otherwise would I get a GPO error while with GUI it is possible to set up this way?