Issue to enable BitLocker with a SID-Based Identity protector

This topic contains 3 replies, has 2 voices, and was last updated by  Don Jones 3 months, 1 week ago.

  • Author
    Posts
  • #78844

    toniino38
    Participant

    Hi everyone,
    I'm facing an issue enabling BitLocker with a SID-Based Identity protector.

    Reading the documentation (https://technet.microsoft.com/en-us/itpro/powershell/windows/bitlocker/enable-bitlocker), i'm trying to follow the example 3 :

    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes128 -AdAccountOrGroup "Western\SarahJones" -AdAccountOrGroupProtector

    I just changed the EncryptionMethod by XTSAES256 and I get this error :

    " To turn on BitLocker with a SID-Based Identity protector on this volume, you must provide at least one additional protector for recovery"

    I don't understand what is wrong...

    Thanks a lot and regards

  • #78847

    Don Jones
    Keymaster

    So, this is what we'd call a "problem," not an "issue" :).

    The difference is likely in how your volumes are configured – yours seem to want a Recovery Key. https://technet.microsoft.com/en-us/library/jj647767(v=ws.11).aspx discusses some of the details of that.

    • #78926

      toniino38
      Participant

      Reading the full help for Add-BitLockerKeyProtector :
      "Active Directory Domain Services (AD DS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector."

      It seems that AD DS account is not compatible with Operating System, the error with Enable-BitLocker seems indicate other thing.

      Is there a way to implement TPM + AD DS account authentication to unlock OS volumes?

      Thanks a lot,
      Best regards

  • #78937

    Don Jones
    Keymaster

    Sorry – I'm a PowerShell guy but not much of a BL expert.

You must be logged in to reply to this topic.