Bitlocker + TPM + PIN + error code 0x80310031
Here's the steps I used, note this was for a cluster shared volume but presumably will work just as well for a local volume.
$BLV = Get-BitLockerVolume -MountPoint "C:\clusterstorage\volume3"
Remove-BitlockerKeyProtector -MountPoint "C:\clusterstorage\volume3" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
Note that in the MS documentation it uses index 1, but if you only have one protector then it should actually be index 0! You can check this by comparing the output from $BLV.KeyProtector[0] to the (probably zero) output from $BLV.KeyProtector[1].
Also, until I added the final .KeyProtectorID I kept getting "invalid class string".
Vega4
Updated on September 18, 2022Comments
-
Vega4 over 1 year
When I try to add PIN protection to my bitlocker set-up I get the following error:
ERROR: An error occurred (code 0x80310031): This key protector cannot be added. Only one key protector of this type is allowed for this drive.
I have selected "Require startup PIN with TPM" in group policy settings. The rest is set to 'allow'.
Then I used the following command:
manage-bde -protectors -add c: -TPMAndPIN
From what I recall this is a proper setting (I am not setting up TPM+PIN bitlocker for the first time).
Ideas?
-
Vega4 over 6 yearsadd some lines on how to list and remove previous protectors, for the reference of others and I shall accept :)
-
Toto almost 6 yearsCan you elaborate on this a little more?
-
Vega4 almost 6 yearsI would also highly appreciate you could elaborate more on this. I'm still living with this situation as it doesn't seem to affect the rest of the booting after I get passed the initial error screen and we all know that recreating an entire dev environment might be a pain the ass.