Dell BitLocker Manager Reporting Unprotected After Changing Protector Policy

Affected Products:

• Dell BitLocker Manager
• Dell Data Protection | BitLocker Manager

Affected Versions:

• v10.10 and Earlier

In the Dell Data Security server console, an administrator may change the protectors that are required to unlock an endpoint protected with Dell BitLocker Manager.

Figure 1: (English Only) Dell Data Security TPM Configuration

Changing Configure TPM Startup PIN to Configure TPM Startup cause:

• After the first reboot post policies change:
  • The PIN is required to unlock the operating system disk.
  • In the BitLocker Drive Encryption applet of the Control Panel, BitLocker Drive Encryption shows as suspended.
  • In the Dell Data Security console, Drive 0 reports Unprotected and Disk C: reports Fully encrypted.

Figure 2: (English Only) Encryption Status 

• After the second reboot:
  • A PIN is no longer be required to unlock the volume.
  • In the BitLocker Drive Encryption applet of the Control Panel, BitLocker Drive Encryption shows as suspended.
  • In the Dell Data Security console, Drive 0 reports Unprotected and the Disk C: Fully encrypted.

On the Dell Data Security administration console, the endpoint reports as Unprotected:

Figure 3: (English Only) Endpoint Details

On the endpoints, the DellAgent.log in C:\ProgramData\Dell\Dell Data Protection shows the error below:

2019.12.10 14:16:34.015 [04596] (00022) E Bde: volume C: unable to enable key protectors - PolicyStartupTpmRequired

Trying to manually resume BitLocker fails:

Figure 4: (English Only) BitLocker Drive Encryption error

Not Applicable

To address this issue, it is necessary to manually change the policy settings for BitLocker on the endpoints experiencing the issue.

To resolve:

1. Right-click the Windows Start Menu and then select Run.

Figure 5: (English Only) Click Run

2. In the Run menu, type control panel and then click OK.

Figure 6: (English Only) Run Control Panel

3. In the Control Panel, click BitLocker Drive Encryption.

Figure 7: (English Only) BitLocker Drive Encryption

4. Click Change how Drive is Unlocked at startup.

Figure 8: (English Only) BitLocker Suspended

5. In the Wizard, select Let BitLocker automatically unlock my drive.

Figure 9: (English Only) BitLocker Drive Encryption

6. Click Resume protection.

Figure 10: (English Only) BitLocker Drive Encryption

The disk will show as Protected again, after performing these steps:

Figure 11: (English Only) Encryption Status

It is possible to perform the same steps using the administration command line below:

manage-bde -protectors -add c: -TPM
manage-bde -protectors -enable c:

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.