BitLocker allows you to fully encrypt drives. It can be enabled so that it protects drives before boot. It also allows administrative recovery keys. However, sometimes it can go wrong.

<h2 id="setup">Setup</h2> <p>Make sure you create a backup of your BitLocker key when setting up. Keep that absolutely safe. If you lose it, you will not be able to recover the drive if you have an issue or need to move the drive to a different PC.</p> <h2 id="issues">Issues</h2> <h3 id="disk-faults-or-other-operating-systems">Disk faults or other operating systems</h3> <p>Remember that, if your drive is encrypted &amp; if you have a fault on it, it will probably not be possible to recover the data.</p> <p>Also remember that, when working with multiple operating systems installed on the drive (e.g. not virtual OS&rsquo;s), they must all support BitLocker.</p> <h3 id="this-pc-doesnt-support-entering-a-bitlocker-recovery-password-during-startup-ask-your-administrator-to-configure-windows-recovery-environment-so-that-you-can-use-bitlocker">&ldquo;This PC doesn&rsquo;t support entering a BitLocker recovery password during startup. Ask your administrator to configure Windows Recovery Environment so that you can use BitLocker&rdquo;</h3> <p>This error messsage appears to have a number of reasons.</p> <h4 id="tablets">Tablets</h4> <p>One is that you are using a tablet and so may not have a keyboard available during pre-boot where you might need to enter the BitLocker key. To fix this, try:</p> <ul> <li>run <code>gpedit.msc</code></li> <li>Under computer configuration click on &ldquo;administrative templates&rdquo;</li> <li>Click on &ldquo;windows components&rdquo;</li> <li>Click on &ldquo;bitlocker drive encryption&rdquo;</li> <li>Click &ldquo;operating system drives&rdquo;</li> <li>Make sure that &ldquo;require additional authentication at startup&rdquo; is enabled</li> <li>On Microsoft surface devices, make sure that &ldquo;enable use of bitlocker authentication requiring preboot keyboard input on slates&rdquo; is enabled.</li> </ul> <p>Reference: <a href="https://community.spiceworks.com/topic/1401228-bitlocker-not-allowing-encryption">https://community.spiceworks.com/topic/1401228-bitlocker-not-allowing-encryption</a></p> <h3 id="other">Other</h3> <p>Try:</p> <ul> <li>Start an elevated command line</li> <li>Run <code>DISKPART</code></li> <li>Enter <code>LIST VOLUME</code></li> <li>Select the &ldquo;recovery&rdquo; volume with <code>SELECT VOLUME &lt;number&gt;</code>. Number is the recovery volume number</li> <li><code>ASSIGN LETTER=Q</code> (to assign the letter Q:\ to the recovery partition)</li> <li><code>FORMAT fs=ntfs label=&quot;Recovery&quot; quick override</code>. You can use any name for the label.</li> <li><code>EXIT</code> to leave diskpart</li> <li>Run <code>Robocopy.exe C:\Windows\System32\Recovery\ Q:\Recovery\WindowsRE\ /copyall /dcopy:t</code></li> <li>Run <code>reagentc /setreimage /path Q:\Recovery\WindowsRE</code></li> <li>Run <code>reagentc /enable</code></li> <li>Run <code>reagentc /info</code> to check whether the setup worked. If everything worked OK, &ldquo;WinRe-Status&rdquo; should be enabled.</li> <li>You can now remove the Q: drive letter to prevent accidental access (which should result in an &ldquo;access denied&rdquo; message anyway). Go back into DISKPART, follow steps 1 through 3 again. Then enter <code>REMOVE LETTER=Q</code>.</li> </ul> <p>You don&rsquo;t need to reboot.</p>