How to fix Bitlocker failing to activate?

This post was most recently updated on August 29th, 2024.

3 min read.

Alright, so my months-long via dolorosa to achieve a functioning Windows workstation has now cost me a few weeks worth of hours of work and around $4000. And I’m finally at a point where I have Visual Studio working again, and I’m only missing some totally unimportant and irrelevant things like BitLocker. No biggie, right?

What’s weird, though, is that I’m only missing it because it decided to randomly break. Let me explain.

Problem

Table of Contents

After a clean Windows install, it’s to be expected that BitLocker is not enabled. That’s fine. But you will need to enable it if you want to encrypt your hard drive.

And that’s exactly what I tried. But when activating it, I got the following error:

Starting BitLocker

The startup options on this PC are configured incorrectly. Contact your system administrator for more information.

Well – I got in touch with my system administrator (because the link “What are BitLocker’s system requirements?” not only takes you to a page defining requirements for Windows 10, not 11, but also doesn’t explain the requirements) and he told me to make sure my primary hard drive is the first boot option.

A very sensible piece of advice. So sensible, in fact, that the hard drive was already the first boot option.

So I needed to find something else, and got to googling.

Before doing anything dramatic, I wanted to back up my encryption key. Turns out that wasn’t easy either:

I had never seen this before, but the only way to store the recovery key was to save it to a USB drive. Printing was unavailable – which was incredibly odd – but also synchronizing it to Azure AD was disabled (although perhaps that’s for the better, as you should never trust this to work and always have a local copy of the recovery key – which is something I found out the hard way!)

Anyway. I could actually locate an old USB pen drive, and tried saving the recovery key.

It looked like it was successful. But trying to enable BitLocker would just throw the same errors as before.

… what gives?

Reason

By default Windows will have some missing policies. Somehow, that means it won’t even let you enable BitLocker.

This was not the case last 3 times I’ve had to reinstall Windows (like I said, I’ve done it quite a few times in the past few months!)

But like we always say: Windows is like a box of chocolates. You never know what you’re gonna get.

That’s the beauty of Windows being the “AI Operating System”; It’s nondeterministic. You truly will never know what’s going to happen next.

Solution

But the solution? A group policy requiring use of BitLocker. Because that requirement also enables it.

1. Open Group Policy Editor

Press Win + R, type gpedit.msc, and press Enter.

2. Find BitLocker configuration for system drives

Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

3. Enable Additional Authentication

Find and double-click on Require additional authentication at startup.

Set it to Enabled and check the box for Allow BitLocker without a compatible TPM.

So in the picture below, enable “Require additional authentication at startup” with the following setup:

4. Apply and restart

Next, apply the newly configured the policy by running the following in a terminal/console window:

gpupdate /force

And then – restart and retry configuring BitLocker for your C-drive.

Troubleshooting

If BitLocker then (or after your next restart) fails again, with an error like below:

“BitLocker could not be enabled” – The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically. C: was not encrypted.

Running the following commands to select the unlocking options (a “protector” in BitLocker-lingo is a way to unlock your drive) first one for PIN:

manage-bde -protectors -add C: -TPMAndPIN

And if you want to use a USB key instead, you can do this:

manage-bde -protectors -add C: -StartupKey E:

After each (or both), you should restart… And after (if) your machine boots up, you should be good!

References

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors

Author
Recent Posts

Antti K. Koskela

Developer / Speaker / Consultant at Koskila / Precio Fishbone / Norppandalotti Software Co / Alter - Experience Ideas Ltd

Antti Koskela is a proud digital native nomadic millennial full stack developer (is that enough funny buzzwords? That's definitely enough funny buzzwords!), who works as Solutions Architect for Precio Fishbone, building delightful Digital Workplaces.

He's been a developer from 2004 (starting with PHP and Java), and he's been working on .NET projects, Azure, Office 365, SharePoint and a lot of other stuff. He's also Microsoft MVP for Azure.

This is his personal professional (e.g. professional, but definitely personal) blog.

Latest posts by Antti K. Koskela (see all)

“Performing cleanup” – Excel is stuck with an old, conflicted file and will never recover. - November 12, 2024
How to add multiple app URIs for your Entra app registration? - November 5, 2024
How to access Environment Secrets with GitHub Actions? - October 29, 2024

0 0 votes

Article Rating

#SharePointProblems

Solutions are worthless unless shared! Antti K. Koskela's Personal Professional Blog