BitLocker encryption does not start even though correct policies have been assigned and were applied on the client.
First seen in
SafeGuard BitLocker Client 6.10.0
Windows 7, Windows 8, Windows 8.1
Common reasons for this are:
- A bootable CD is in the drive (must be ejected to start the encryption process)
- A bootable USB stick attached (must be ejected to start the encryption)
- A GPO is defined which is not supported in combination with BitLocker Management by SGN.
- The drive is not properly prepared for Bitlocker encryption (can be done using the Bitlocker Drive Preparation tool BdeHdCfg.exe)
- TPM is not activated (but defined as protector)
Only the following BitLocker group policies (GPOs) should be configured if BitLocker is managed by SGN:
- Require additional authentication at startup
- Allow BitLocker without a compatible TPM
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Configure minimum PIN length for startup
- Turn on TPM backup to Active Directory Domain Services
What to do
Ensure that all other BitLocker group policies are left as default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management.
Example: Activating the group policy setting "Do not enable Bitlocker until recovery information is stored to AD for operating system drives" leads to encryption failing to start if you are using SafeGuard Bitlocker Challenge/Reponse.