This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bitlocker could not be enabled - The data drive is not set to automatically unlock

Hi,

We are currently trying to trial SafeGuard Enterprise 8.1. On my first test machine I have the client and configuration installed. It asks for a PIN before starting the encryption but after a reboot it does not ask me to enter the PIN and after logging on comes up with a message from Bitlocker saying:

"Bitlocker could not be enabled. The data drive is not set to automatically unlock on the current computer and cannot be unlocked automatically. C: was not encrypted"

There is also a SafeGuard window saying that the PIN entered at the authentication screen was incorrect even though an authentication screen was never shown.

The machine is a Windows 10 1809 laptop with TPM 2.0, UEFI, SecureBoot and GPT HD.

 

Has anyone seen this before?



This thread was automatically locked due to age.
Parents
  • Odd this - Data drives (secondary/removable drives) are normally ones you want to auto-unlock, as in once Windows has booted from the other drive and stored the creds/info for the secondary drive then THAT can auto-unlock for the OS so you don't need to enter the password each time.

    Since this issue seems to be "below" the OS (PIN entry at authentication screen is before Windows has started to load) I would suspect there is some conflicting settings within the BIOS/HDD that are messing up TPM/boot options.

     

    What model is the laptop please Adam?

    Can you also give us the result of "manage-bde -status" at an elevated command prompt?

    Can you also give us the result of "tpm.msc" (run with elevated rights)

     

  • Hi Michael,

    It is a Dell Inspiron 5770

    Results of manage-bde-status:

    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: [Windows]
    [OS Volume]

    Size: 921.59 GB
    BitLocker Version: 2.0
    Conversion Status: Fully Decrypted
    Percentage Encrypted: 0.0%
    Encryption Method: None
    Protection Status: Protection Off
    Lock Status: Unlocked
    Identification Field: Unknown
    Key Protectors:
    External Key

    tpm.msc:

  • Ah, external key!

    Have you configured Startup Key in the Sophos policy for this machine?

    Startup key or external key is a USB memory stick that stores the key. You would use it instead of TPM and PIN for devices that don’t have TPM.

    If you could remove that from the policy (or use a USB stick if you’d prefer that) that should resolve the issue.

    TPM looks good but looks as if that policy is overriding TPM being used as a key protector.

  • The policy is set to TPM + PIN, not startup key:

    I have found this in msinfo32:

    Does this suggest a hardware issue?

     

    thanks,

    Adam

  • It is odd - something not right here! Have you tried to enable BitLocker manually on the client after you've added a key protector?

Reply Children
No Data