Microsoft BitLocker (Encrypt Now)

Updated: Microsoft BitLocker (Encrypt Now)

Microsoft BitLocker (Encrypt Now)
Encrypt the OS drive and back up the recovery keys to Active Directory

Now retries backing up recovery keys to AD every 1 minute up to 1 hour, only when an AD domain member fails to backup recovery keys to AD with “The specified account does not exist.”
This can happen while attempting to encrypt the disk immediately after joining AD, before domain replication has completed
https://support.microsoft.com/en-us/help/2665635/the-specified-account-does-not-exist-when-you-try-to-enable-bitlocker

  • Check if this is a BitLocker-capable OS
  • Check if a TPM chip is available
  • Check if we can back up recovery keys
  • Take ownership of the TPM by setting an owner password, only for Windows 7/2008R2 and Vista/2008
  • Check for existing numerical password protectors
  • Add a numerical password protector, if one does not exist
  • Back up all recovery keys to AD
  • Turn on BitLocker and begin the drive encryption
  • Display a detailed success or failure message, except in silent mode
Command line arguments
<none> - Minimally interactive install
/u - Unattended install
/s - Silent install
Exit codes
104 - Aborting the installation; unsafe conditions: Windows 10 1803 prior to build 17134.319 cannot back up keys to AD with a local account
222 - Unable to find manage-bde.exe
223 - This is not a BitLocker-capable OS
224 - A TPM chip was not found
225 - Failed to back up recovery keys to AD
226 - Unable to find the password protector ID
200 - Failed to run the process: manage-bde.exe
Common exit codes