Support Forum

Please post current plugin version: (1.0.0.22 is current)
Please post computers OS type and build:

It was easier to create a quick video then to write out the process and add all the images is the correct order.

The video is 5 minutes long where I (today) take a computer not enabled for BitLocker and from start to finish, enable, encrypt and key a volume. I then go back and add a second key, then afterwards go show where you can see in the raw what the computer responded with.

With in thoes errors will be the clues we need to determin why the plugin was not able to encrypt the drive and then ofcourse fail to add any furthe keys.

You can see in the video, that the plugin does work. It is collecting input from me and executing standard powershell commands to manage BitLocker from remote. It sends commands directly, then when it needs the full status of the computer's volumes, it writes a small script to the temp dir and executes it so we get a complete formated output of the status of computer. (windir%\temp\Get-BLProtectors.ps1 ). Get-BLProtectors.ps1 only reads current data and does not do any of the encryption or add=protector commands. The terminal always calls these commands directly so you can see them in the raw logs.

See Video


Try to do your request to encrypt again and capture the command logs. Post them up here, I would say a new post to start a tread on the error type. Then we can see where that leads us.

After update to 1.0.0.22 From Plugin, I got the following error...

Reaching out to ASSISTANT-PC
Testing Agent for TPM -> ASSISTANT-PC has TPM available
Initializing TPM ->
TpmReady : True
RestartRequired : False
ShutdownRequired : False
ClearRequired : False
PhysicalPresenceRequired : False
Testing Volume Encryption
Updating ASSISTANT-PC - -> agent volume has been updated
Enable-BitLockerInternal : Value does not fall within the expected range.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3823 char:48
+ ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Enable-BitLockerInternal
Launching a refresh of the agent's volume and protector data
Refreshing Volume Data for [ASSISTANT-PC]
-> agent volume data was refreshed
Refreshing Key Protector Data for [ASSISTANT-PC]
-> agent key protector data was refreshed
[note that the TPM protector still shows as being installed in the plugin]

This error may be:
- bad or incomplete protector state on C:
- unsupported or invalid encryption method passed by the plugin
- plugin/script is calling enable with a parameter combination Windows does not accept
- stale BitLocker metadata on the drive even though the volume is fully decrypted
From the module snippet around line 3823, the failure happens right after a protector is added and then Enable-BitLockerInternal is called. So the likely bad input is either:
- the protector that was just added, or
- an enable option the plugin is passing

I suspect the plugin is doing one of these:
- adding a protector type that does not match what it later expects
- attempting to enable with a stale/incomplete BitLockerVolume object
- passing an encryption method value Windows rejects
- assuming protector creation succeeded when it did not fully succeed

Further troubleshooting BitLocker enablement with plugin version 1.0.0.22 ------ wanted to share findings that point to an issue in the enable workflow.

**Summary of behavior:**

* TPM initializes correctly and reports `TpmReady = True`
* Plugin successfully adds protectors (TPM + RecoveryPassword)
* `Get-BitLockerVolume` confirms:

* `KeyProtector : {Tpm, RecoveryPassword}`
* `VolumeStatus : FullyDecrypted`
* `ProtectionStatus : Off`
* Plugin then fails during enable with:

```
Enable-BitLockerInternal : Value does not fall within the expected range
```

**Root cause:**
The plugin appears to call `Enable-BitLocker` using a parameter set that attempts to re-add a TPM protector (e.g., `-TpmProtector`) even when one already exists. This results in:

```
This key protector cannot be added. Only one key protector of this type is allowed
```

Additionally, when using `manage-bde -on`, Windows returns:

```
You must restart your computer before continuing with BitLocker Drive Encryption.
```

This indicates BitLocker is actually staged correctly, but the plugin:

1. Does not handle the “pending hardware test / reboot required” state
2. Likely uses an invalid or conflicting parameter set when enabling BitLocker

**Validated working sequence (manual):**

1. Add protectors:

```
manage-bde -protectors -add C: -tpm
manage-bde -protectors -add C: -recoverypassword
```
2. Start encryption:

```
manage-bde -on C: -usedspaceonly
```
3. Reboot (required for TPM hardware test)
4. Encryption begins successfully

**Key findings:**

* Adding protectors alone does NOT trigger encryption (contrary to documentation expectations)
* `Enable-BitLocker` must not attempt to add duplicate TPM protectors
* The workflow must account for and surface the required reboot before encryption begins

**Recommendation:**

* Detect existing TPM protector and avoid re-adding it
* Use an enable method that works with existing protectors (or switch to `manage-bde -on`)
* Handle and report the “restart required” state explicitly
* Only mark enablement as failed if post-reboot encryption does not start

Let me know if you want logs

That is interesting.. never considered to look for existing key protectors on a un-encrypted volume. We do once the volume is encrypted but not if unencrypted.

Can I ask if you currently have any other volumes on that PC encrypted or is this the first volume to be encrypted?

Also can I get the OS type and build number of the computer being tested so I can compare notes?

To give you an updated status on the BitLocker Plugin

I am currenty testing build 1.0.0.23 to make sure we have things woring correctly and ready for release.

This is where the majority of today's work landed. Current state is significantly improved. Key status by area:
Area

• Thread model Background thread, UI helpers, shadow progress field

• TPM check Single round-trip, typed booleans, typo fixed

• TPM-family conflict Detect, remove conflicting type, skip if exact match

• Cipher forwarding AES selection and SkipHardware both forwarded

• Polling loops WaitForCommand centralises all polling

• UI control access Five InvokeRequired helpers

• Reboot button Background thread dispatch

• ConvertToSQLValues Sentinel return, thread-safe logging

The above basicly means I have cereated a more aware TPM process where new keys and existing keys get evaluated, we now include automatic support for XtsAes encryption methods, as part of TPM and hardware testing, we capture this and provide a reboot button and notice that computer requires reboot to complete encryption process. Improved UI experence.




I'ii let you know when we feel we have a release quality build ready.

There were no encrypted volumes... I believe it WAS encrypted, but perhaps a firmware or BIOS upgrade removed encryption and the protectors?
It is Windows 11 24H2.
Also... when we encrypted machines using the plugin, we chose the 256-bit option, but they all show 128.
Thanks