@Brink Since you made the tutorial about the Enable BitLocker reg files (which I filed but they didn't work, tried on multiple machines with multiple settings), I ask you and/or anybody knowledgeable for help. I have been working on this issue for a week to no avail
First I run this registry file which is integrated into my Windows images anyway
According to Microsoft's official BitLocker
> BitLocker Group Policy settings - Windows Security
> If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
So basically only 1 value may be set to "1" and then all the rest must be set to "0" as above otherwise GPOs will conflict.
Now when I run this script that first detects that BitLocker has been enabled or not, and if not, then it will enable BitLocker on the C Drive, FVE, and sets the default pin, and then proceeds to inject 3 UNCs into the RunOnce registry location so that those 3 apps I made will be launched upon the next (re)boot, the script throws the EM:
> "Enable-BitLockerInternal: The value is outside the expected range.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3738 character:48 ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
Screenshot:
Tried it both on a Hyper-V VM and then on a physical laptop, neither worked.
Why does my script run perfectly on Windows 10 yet not on Windows 11? I don't get it. Please help
First I run this registry file which is integrated into my Windows images anyway
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=dword:00000007
"EncryptionMethodWithXtsFdv"=dword:00000007
"EncryptionMethodWithXtsRdv"=dword:00000007
"UseAdvancedStartup"=dword:00000001
"EnableBDEWithNoTPM"=dword:00000000
"UseTPM"=dword:00000000
"UseTPMPIN"=dword:00000001
"UseTPMKey"=dword:00000000
"UseTPMKeyPIN"=dword:00000000
According to Microsoft's official BitLocker
> BitLocker Group Policy settings - Windows Security
> If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
So basically only 1 value may be set to "1" and then all the rest must be set to "0" as above otherwise GPOs will conflict.
Now when I run this script that first detects that BitLocker has been enabled or not, and if not, then it will enable BitLocker on the C Drive, FVE, and sets the default pin, and then proceeds to inject 3 UNCs into the RunOnce registry location so that those 3 apps I made will be launched upon the next (re)boot, the script throws the EM:
> "Enable-BitLockerInternal: The value is outside the expected range.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3738 character:48 ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
Screenshot:
Tried it both on a Hyper-V VM and then on a physical laptop, neither worked.
Why does my script run perfectly on Windows 10 yet not on Windows 11? I don't get it. Please help
- Windows Build/Version
- 11
My Computer
System One
-
- OS
- Win11