Issue to enable BitLocker with a SID-Based Identity protector

This topic contains 3 replies, has 2 voices, and was last updated by  Don Jones 6 months, 2 weeks ago.

  • Author
  • #78844


    Hi everyone,
    I'm facing an issue enabling BitLocker with a SID-Based Identity protector.

    Reading the documentation (, i'm trying to follow the example 3 :

    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes128 -AdAccountOrGroup "Western\SarahJones" -AdAccountOrGroupProtector

    I just changed the EncryptionMethod by XTSAES256 and I get this error :

    " To turn on BitLocker with a SID-Based Identity protector on this volume, you must provide at least one additional protector for recovery"

    I don't understand what is wrong...

    Thanks a lot and regards

  • #78847

    Don Jones

    So, this is what we'd call a "problem," not an "issue" :).

    The difference is likely in how your volumes are configured – yours seem to want a Recovery Key. discusses some of the details of that.

    • #78926


      Reading the full help for Add-BitLockerKeyProtector :
      "Active Directory Domain Services (AD DS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector."

      It seems that AD DS account is not compatible with Operating System, the error with Enable-BitLocker seems indicate other thing.

      Is there a way to implement TPM + AD DS account authentication to unlock OS volumes?

      Thanks a lot,
      Best regards

  • #78937

    Don Jones

    Sorry – I'm a PowerShell guy but not much of a BL expert.

You must be logged in to reply to this topic.