This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bitlocker could not be enabled - The data drive is not set to automatically unlock

Hi,

We are currently trying to trial SafeGuard Enterprise 8.1. On my first test machine I have the client and configuration installed. It asks for a PIN before starting the encryption but after a reboot it does not ask me to enter the PIN and after logging on comes up with a message from Bitlocker saying:

"Bitlocker could not be enabled. The data drive is not set to automatically unlock on the current computer and cannot be unlocked automatically. C: was not encrypted"

There is also a SafeGuard window saying that the PIN entered at the authentication screen was incorrect even though an authentication screen was never shown.

The machine is a Windows 10 1809 laptop with TPM 2.0, UEFI, SecureBoot and GPT HD.

Has anyone seen this before?

This thread was automatically locked due to age.

Parents

0 MichaelMcLannahan over 5 years ago

Odd this - Data drives (secondary/removable drives) are normally ones you want to auto-unlock, as in once Windows has booted from the other drive and stored the creds/info for the secondary drive then THAT can auto-unlock for the OS so you don't need to enter the password each time.

Since this issue seems to be "below" the OS (PIN entry at authentication screen is before Windows has started to load) I would suspect there is some conflicting settings within the BIOS/HDD that are messing up TPM/boot options.

What model is the laptop please Adam?

Can you also give us the result of "manage-bde -status" at an elevated command prompt?

Can you also give us the result of "tpm.msc" (run with elevated rights)
Cancel
Vote Up 0 Vote Down

Cancel
0 Adam Barnes over 5 years ago in reply to MichaelMcLannahan

Hi Michael,

It is a Dell Inspiron 5770

Results of manage-bde-status:

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]

Size: 921.59 GB
BitLocker Version: 2.0
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
External Key

tpm.msc:
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Adam Barnes over 5 years ago in reply to MichaelMcLannahan

Hi Michael,

It is a Dell Inspiron 5770

Results of manage-bde-status:

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]

Size: 921.59 GB
BitLocker Version: 2.0
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
External Key

tpm.msc:
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 MichaelMcLannahan over 5 years ago in reply to Adam Barnes

Ah, external key!

Have you configured Startup Key in the Sophos policy for this machine?

Startup key or external key is a USB memory stick that stores the key. You would use it instead of TPM and PIN for devices that don’t have TPM.

If you could remove that from the policy (or use a USB stick if you’d prefer that) that should resolve the issue.

TPM looks good but looks as if that policy is overriding TPM being used as a key protector.
Cancel
Vote Up 0 Vote Down

Cancel
0 Adam Barnes over 5 years ago in reply to MichaelMcLannahan

The policy is set to TPM + PIN, not startup key:

I have found this in msinfo32:

Does this suggest a hardware issue?

thanks,

Adam
Cancel
Vote Up 0 Vote Down

Cancel
0 MichaelMcLannahan over 5 years ago in reply to Adam Barnes

It is odd - something not right here! Have you tried to enable BitLocker manually on the client after you've added a key protector?
Cancel
Vote Up 0 Vote Down

Cancel