Bitlocker: Encryption does not start

  • Article ID: 120416
  • Rating:
  • 1 customers rated this article 6.0 out of 6
  • Updated: 29 Mar 2016

BitLocker encryption does not start even though correct policies have been assigned and were applied on the client. 

First seen in

SafeGuard BitLocker Client 7.0
SafeGuard BitLocker Client 6.10.0

Operating systems

Windows 7, Windows 8, Windows 8.1, Windows 10

Common reasons for this are:

  • A bootable CD is in the drive (must be ejected to start the encryption process) 
  • A bootable USB stick attached (must be ejected to start the encryption)
  • A GPO is defined which is not supported in combination with BitLocker Management by SGN.
  • The drive is not properly prepared for Bitlocker encryption (can be done using the Bitlocker Drive Preparation tool BdeHdCfg.exe) 
  • TPM is not activated (but defined as protector)
  • An unsupported algorithm is applied on the client (e.g AES-XTS on Windows 10 version 1511). Details

Only the following BitLocker group policies (GPOs) should be configured if BitLocker is managed by SGN:

  • Require additional authentication at startup
  • Allow BitLocker without a compatible TPM
  • Enable use of BitLocker authentication requiring preboot keyboard input on slates
  • Configure minimum PIN length for startup
  • Turn on TPM backup to Active Directory Domain Services

What to do

Ensure that no BitLocker group policy settings are configured that interfere with the settings defined in the SafeGuard policies. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management.

Example: Activating the group policy setting "Do not enable Bitlocker until recovery information is stored to AD for operating system drives" leads to encryption failing to start if you are using SafeGuard Bitlocker Challenge/Reponse.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent