30 C
Dubai
Wednesday, October 9, 2024

Startup Options on this PC are Configured Incorrectly – Bit locker

Enabling Bitlocker giving Error in Surface Pro Devices –

Error : The Startup Options on This PC are Configured incorrectly. Contact your System Administrator For More Information

image\

 

Solution –

Use of BitLocker authentication requiring preboot keyboard has to be enabled In Group Policy

Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled

image

Default Recommended Group Policy for Surface Pro Devices –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

 

Default Recommended Group Policy for Laptops and Desktops –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

3 COMMENTS

  1. Here is the solution I found when this did not work

    run gpedit

    Local computer policy> computer configuration > administrative templates > Windows Components > bitlocker drive encryption > Operating system drives
    Require additional authentication at startup

    Enable

  2. Hi Satheshwaran,

    When this policy is applied from Intune it is not getting applied on a Dell Optiplex 7000 desktop. So, should we enable this like locally on a machine? I am kind of confused. When I tried to apply this to Intune the protection status is OFF and when I tried to enable it manually on the desktop, I got the error that you are showing. I tried to add these setting locally in the group policy it enabled it. So, is this the only way to do it for desktops?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?