How to manually run BitLocker

Home > Search > How-to
  by

First, check to see if the hard drive is already BitLocker Encrypted.

 


BitLocker On, Off, Encrypting, Paused

  1. Select the Windows Start icon > Control Panel.
  2. Select BitLocker Drive Encryption.

 

If BitLocker is On, there is no need to run BitLocker.

If BitLocker is Encyrpting, there is no need to run BitLocker.

 

If BitLocker is Off, proceed to the next section.

 

If BitLocker is Paused, run the chkdsk /r command and restart the PC.

 

 


Trusted Platform Module (TPM)

  1. Select the Windows Start icon > Control Panel.
  2. Select BitLocker Drive Encryption.
  3. In the left panel, select TPM Administration.

If no TPM module can be found, reboot the PC, enter BIOS, and manually set TPM to Activate.

 

If the Operating System is Windows 7, and version 2.0 of TPM is being used, download the executable from your motherboard manufacturer to revert BIOS to TPM 1.2.

 

If BIOS is using TPM version 1.2, and TPM Security is set to Activate in BIOS, yet Windows displays Compatible TPM cannot be found, shut down the PC, and disconnect any power supplies connected to the PC. If the PC is a laptop, remove the battery from the laptop. After 15 minutes, power the PC back on, and check to see if a TPM module is now found.


OsEnforcePolicyPeriod key

Ensure the OsEnforcePolicyPeriod is REG_DWORD and is set to 0. If this exists, and the PC has not been restarted, restart the machine. This may run BitLocker silently, with no GUIs. In a few hours, check to see if the hard drive is BitLocker Encrypted.

Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement"
. . .
OsEnforcePolicyPeriod          : 0

 

If this key does not exist, create the key, and then restart the PC. In a few hours, check to see if the hard drive is BitLocker Encrypted.

 


NoStartupDelay key

Use the below PowerShell cmdlet to determine if the NoStartupDelay key is set to 1.

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\MBAM" | select NoStartupDelay
. . .
NoStartupDelay          : 1

 

If the NoStartupDelay key is not set to 1, use the following PowerShell cmdlet to set the NoStartupDelay key is set to 1.

New-ItemProperty -Path HKLM:\Software\Microsoft\MBAM -Name NoStartupDelay -Value "1" -PropertyType DWORD -Force

 

Use the following PowerShell cmdlet's to restart the BitLocker Management Client Service.

Stop-Service -displayname "BitLocker Management Client Service"
Start-Service -displayname "BitLocker Management Client Service"

 

In about 1 to 2 minutes, BitLocker Drive Encryption should display Encrypting.

 

If a pop-up box appears with options Postpone and Start, select Start.

 

 


Organizational Unit

If the system will still not encrypt, the computer may not be in the correct Organizational Unit (OU). PowerShell can be used to determine the OU the computer is in.

 


Event Viewer

If BitLocker continues to fail to encrypt, check the Applications and Services Logs > Microsoft > Windows > MBAM > Admin and Operational logs for details. In this example, the Admin log displays errors that the TPM hardware is missing.

 


Outcome

After the drive has been encrypted, the C: drive should show BitLocker Encrypted.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments