BitLocker Encryption with Password (No TPM Issues)

BitLocker Encryption with Password (No TPM Issues)

This guide outlines the successful steps taken to enable BitLocker with a password protector on a Windows 11 Pro system, bypassing TPM complexities and resolving various command-line errors.

Prerequisites:

• Windows 11 Pro (or Enterprise/Education)
• User account with Administrator privileges

Steps:

1. Configure Group Policy to Allow Password Protector:
   • Open Group Policy Editor (gpedit.msc).
   • Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
   • Double-click Configure use of passwords for operating system drives.
   • Select Enabled.
   • Ensure Require password for operating system drive is checked.
   • Click Apply, then OK.
   • Open Command Prompt (Admin) and run gpupdate /force.
   • Reboot PC.
2. Remove any Existing Residual Password Protector:
   • Open Command Prompt as Administrator (not PowerShell).
   • Identify the Password protector's ID (GUID) using:

DOS

manage-bde -protectors -get C:

(Look for Password type and its ID: {GUID}).

1. • Delete the protector using its ID:

DOS

manage-bde -protectors -delete C: -id {YOUR_PASSWORD_PROTECTOR_GUID}

(Replace {YOUR_PASSWORD_PROTECTOR_GUID} with the actual ID from the previous step.)

1. • Verify deletion:

DOS

manage-bde -protectors -get C:

(Should show no Password protector).

1. Add the Password Key Protector:
   • Open PowerShell as Administrator.
   • Enter your desired BitLocker password when prompted:

PowerShell

$BitLockerPassword = Read-Host -AsSecureString "Enter your desired BitLocker password"

1. • Add the password protector to the C: drive:

PowerShell

Add-BitLockerKeyProtector -MountPoint "C:" -PasswordProtector -Password $BitLockerPassword

1. • Verify the password protector is added (optional, but good for confirmation):

PowerShell

manage-bde -protectors -get C:

(Should now show a Password protector with a new ID).

1. Initiate BitLocker Encryption:
   • Open Command Prompt as Administrator.
   • Turn on BitLocker for the C: drive:

DOS

manage-bde -on C:

1. • Reboot your PC when prompted by manage-bde.
2. Retrieve and Save BitLocker Recovery Key:
   • After rebooting and logging back into Windows (encryption will be ongoing in background).
   • Open PowerShell as Administrator.
   • Retrieve the 48-digit numerical recovery key:

PowerShell

(Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object { $_.KeyProtectorType -eq "Password" } | Select-Object -ExpandProperty RecoveryPassword

1. • Copy the displayed 48-digit key.
   • Save this key securely to a USB drive, print it, or manually record it in a safe place. (Note: Automatic backup to Microsoft Account may occur, but manual backup is advised if GUI option is missing).