2

When I try to add PIN protection to my bitlocker set-up I get the following error:

ERROR: An error occurred (code 0x80310031): This key protector cannot be added. Only one key protector of this type is allowed for this drive.

I have selected "Require startup PIN with TPM" in group policy settings. The rest is set to 'allow'.

Then I used the following command:

manage-bde -protectors -add c: -TPMAndPIN

From what I recall this is a proper setting (I am not setting up TPM+PIN bitlocker for the first time).

Ideas?

Improve this question
4
  • I don't have any expertise with your problem, but from your description, it appears that there is already a key protector enacted. Logic suggests to me that you would have to remove the previous key protector before you could add a new one. I await my education. :)
    – Xavierjazz
    Commented Sep 9, 2017 at 20:51
  • hehe, before setting up bitlocker I have 'cleared' the tpm, and 'retook the ownership' I am not a specialist in TPMs one might think it got cleared.. no you say? hmm
    – Vega4
    Commented Sep 9, 2017 at 21:00
  • 1
    well, it did the trick. There was a TPMandPIN setting from a previous installation but why wasn't it active... all in all unexpected things happen when you reinstall windows after a lost bitlocker recovery key. thats not the only thing
    – Vega4
    Commented Sep 9, 2017 at 21:07
  • I have made my comment into an answer. I would appreciate it if you accept it. I'm glad it worked.
    – Xavierjazz
    Commented Sep 9, 2017 at 21:25

4 Answers 4

Reset to default
2

Here's the steps I used, note this was for a cluster shared volume but presumably will work just as well for a local volume.

$BLV = Get-BitLockerVolume -MountPoint "C:\clusterstorage\volume3"
Remove-BitlockerKeyProtector -MountPoint "C:\clusterstorage\volume3" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId

Note that in the MS documentation it uses index 1, but if you only have one protector then it should actually be index 0! You can check this by comparing the output from $BLV.KeyProtector[0] to the (probably zero) output from $BLV.KeyProtector[1].

Also, until I added the final .KeyProtectorID I kept getting "invalid class string".

Reference: https://docs.microsoft.com/en-us/powershell/module/bitlocker/remove-bitlockerkeyprotector?view=win10-ps

Improve this answer
1

In Command Prompt:

manage-bde -protectors -delete c:
manage-bde -protectors -add c: -TPMAndPIN
manage-bde -protectors -enable c:

Reboot & enjoy BitLocker boot protection with your new Startup PIN.

Improve this answer
2
  • 1
    The last command should be manage-bde -protectors -enable c: (had to use it today)
    – Pieterjan
    Commented Aug 20, 2023 at 12:06
  • @Pieterjan Good catch, thanks, I’ve edited :)
    – Danny Beckett
    Commented Aug 21, 2023 at 23:58
0

I don't have any expertise with your problem, but from your description, it appears that there is already a key protector enacted. Logic suggests to me that you would have to remove the previous key protector before you could add a new one. I await my education. :)

Improve this answer
1
  • 2
    add some lines on how to list and remove previous protectors, for the reference of others and I shall accept :)
    – Vega4
    Commented Sep 9, 2017 at 23:59
-1

Get-BitLockerVolume C: | fl

ComputerName : xxxxxxx
MountPoint : C:
EncryptionMethod : None
AutoUnlockEnabled :
AutoUnlockKeyStored : false
MetadataVersion : 2
VolumeStatus : FullyDecrypted
ProtectionStatus : Off
LockStatus : Unlocked
EncryptionPercentage : 0
WipePercentage : 0
VolumeType : OperatingSystem
CapacityGB : 464,1874
KeyProtector : {tpm}

mit Remove-BitLockerKeyProtector kann er gelöscht werden.

$BLV = Get-BitLockerVolume -MountPoint "C:"
Remove-BitlockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1]
Improve this answer
2
  • Can you elaborate on this a little more?
    – Toto
    Commented Jun 12, 2018 at 13:47
  • I would also highly appreciate you could elaborate more on this. I'm still living with this situation as it doesn't seem to affect the rest of the booting after I get passed the initial error screen and we all know that recreating an entire dev environment might be a pain the ass.
    – Vega4
    Commented Aug 1, 2018 at 16:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .