When I try to encrypt my non-OS partitions, the option "Automatically unlock this drive" is grayed out. My notebook is in a domain, and the Bitlocker Drive Encryption wizard says that these settings are managed by Global Policy. Fine, I'll ask the system admins to change the policy. But what policy?
When I encrypt the data drive and try to enable Auto-unlock, I get this error:
PS> Enable-BitLockerAutoUnlock -MountPoint "X:"
Enable-BitLockerAutoUnlock : Group Policy settings do not permit the creation of a recovery key.
(Exception from HRESULT: 0x8031005E)
This error is described here for COM Error codes and here in a SafeGuard docs::
FVE_E_POLICY_RECOVERY_KEY_NOT_ALLOWED 0x8031005E Group policy settings do not permit the creation of a recovery key.
0x8031005E The Group Policy for encryption without TPM is not set. Please enable the Group Policy "Require additional authentication at startup" and set the checkbox "Allow BitLocker without a compatible TPM" within it.
My notebook is Lenovo P52, it has TPM 2.0. When I try to enforce TPM on the data drive, I get this error:
> manage-bde -protectors -add x: -TPM
ERROR: Only the OS volume may be secured with the TPM.
I've heard that TPM cannot be used for data drives, but couldn't find this restriction in any documentation. On the contrary, in a forum I found
"Only the OS volume may be secured with the TPM", I would say this is incorrect...
Q: So, what Global Policy needs to be modified in order I am able to turn on Auto-unlock on my data drives? Is it the "Allow BitLocker without a compatible TPM"? (That would be strange as the data drive CAN be encrypted, only Auto-unlock doesn't work.)