BitLocker encryption does not start even though correct policies have been assigned and were applied on the client.
First seen in
SafeGuard BitLocker Client 7.0
SafeGuard BitLocker Client 6.10.0
Windows 7, Windows 8, Windows 8.1, Windows 10
Common reasons for this are:
- A bootable CD is in the drive (must be ejected to start the encryption process)
- A bootable USB stick attached (must be ejected to start the encryption)
- A GPO is defined which is not supported in combination with BitLocker Management by SGN.
- The drive is not properly prepared for Bitlocker encryption (can be done using the Bitlocker Drive Preparation tool BdeHdCfg.exe)
- TPM is not activated (but defined as protector)
- An unsupported algorithm is applied on the client (e.g AES-XTS on Windows 10 version 1511). Details
Only the following BitLocker group policies (GPOs) should be configured if BitLocker is managed by SGN:
- Require additional authentication at startup
- Allow BitLocker without a compatible TPM
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Configure minimum PIN length for startup
- Turn on TPM backup to Active Directory Domain Services
What to do
Ensure that no BitLocker group policy settings are configured that interfere with the settings defined in the SafeGuard policies. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management.
Example: Activating the group policy setting "Do not enable Bitlocker until recovery information is stored to AD for operating system drives" leads to encryption failing to start if you are using SafeGuard Bitlocker Challenge/Reponse.