My BitLocker is Missing Parts of the Set-up Process?

I have TPM 2.0 and windows 10 pro, 21H1. Following several different tutorials, there were stages missing during the setup process that never appeared for me to choose from such as "Run Bitlocker System Check", along with "Encrypting the whole drive" or "Only used space"., etc.. See screenshot. The missing stages in the screenshots are from a YouTube tutorial.

Anyone know why these did not show up? It just asked me to save the Key, then nothing else happened.

Also, since then, I have no other options, like setting my bitlocker password, or encrypting the drive. I restarted the computer, it's been 5 days. I go back to Manage Bitlocker section, theres no options except "Turn off bitlocker".

The CMD status check for bitlocker shows its at 98.1%, 4 days ago it was at 97%. So I guess its making progress, but Is it supposed to take days like this for a brand new drive? I have an X1 Carbon Gen 9, 512gb SSD. And how will I set a password, why was I never given that option?

Could you please run a "manage-bde -status" from an elevated command prompt and show us the output?

Below is a sample of the output.

Note that in my case I have 2 drives on this laptop: The internal NVMe SSD and an external NVMe SSD connected via USB. You questioned not being asked for a password for the internal drive. This is normal. The Operating System drive would normally be protected by a numeric key protector serviced by the TPM. This allows it to be completely transparent so that you don't need to supply a password (or anything else for that matter) when booting the system.

Thanks for your reply.
I only have 1 drive. See screenshot. But even in the bitlocker tutorial here on TenForums, it shows that you are supposed to be given an option to encrypt the whole drive or just used space. I never got that option.

Also, regarding password and pin, so a password and pin is only a displayed option during setup IF you do a bunch of Group Policy Editor Settings changes first?

Okay, a few things to address...

First, yes, by default, on a OS drive, you won't be asked to supply a pin or a password. You could add that, but I question why you would want to do so since you already have a TPM in the system.

Second, the command line agrees with what you saw in the GUI, namely, that it's stuck at 98.1% for some reason and it's also weird that you were not asked the questions that you noted were missing in your screenshots. Those very definitely should have been a part of process before the encryption actually started. I've never seen that skipped.

Could you tell me a little about this system? Is this a system in a workgroup or is it a part of a domain where so sort of policy could be affecting you?

I realize that this is a 512GB SSD, but how much data is there actually on the disk (in other words, how full is it)?

Have you run a chkdsk on the drive to see if it reports any errors? (run "chkdsk c:" from an elevated command prompt).

In the meantime, let me do a little additional research and see if I can turn up anything more.

I've not found anything conclusive. I did see a couple of posts where CHKDSK reported errors on drives and that seemed to be the problem so I would still be curious to know what CHKDSK reports on your system.

hsehestedt said:

I've not found anything conclusive. I did see a couple of posts where CHKDSK reported errors on drives and that seemed to be the problem so I would still be curious to know what CHKDSK reports on your system.

56gb being used. 419gb free out of 475gb.

Not a system work group or part of a domain, its my personal computer. I specifically got windows 10 PRO version for Bitlocker. Without getting into a debate as to it being unnecessary or why (i have good reasons for it) but I wanted to have an additional bitlocker password and pre-boot pin. Essentially full bitlocker encryption with more than just a regular windows password.

I also attached below the results of the drive check, seems fine

I'll see what more I can dig up, it may be tomorrow morning before I have the time to dig into it further.

Some new discoveries....So I had a theory windows might intentionally be pausing/slowing the encryption while on battery. Even though my battery was always around 85%+ and I was just doing emailing for hours, nothing intensive. Windows had plenty of time and power to work Bitlocker in the background the past 4-5 days. I also had the battery on a normal/balanced performance plan.

So anyways, I plugged in my laptop and kept it on while plugged in, 30 mins later, did a CMD manage-bde -status check, and its now at 100% and says used space only encrypted. I never read anything about this online being required to be plugged in, but perhaps that was the issue.


Now that still does not explain 1) why Bitlocker never gave me the option to choose between full disk/existing space. It seems to have selected for me. Nor does it explain 2) why did I need to be plugged in for a small amount of existing space to be encrypted (not full drive). 3) why there was no bitlocker encryption progress in the system icon tray as there is supposed to be (screenshot below from tutorials). But w/e.


So it appears to be done now. However, back to the password issue. I assumed once bitlocked finished there was supposed to be a settings/wizard options for bitlocker where I can modify or add a password. Or does that still have to be done through the group policy editor thing before that shows up?

Run GPEDIT.MSC. Expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption > Operating System Devices.

Finally, select "Require additional authentication at startup" and read the Help topic available there.

hsehestedt said:

Run GPEDIT.MSC. Expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption > Operating System Devices.

Finally, select "Require additional authentication at startup" and read the Help topic available there.

Thanks! I was going to message you directly rather than add onto this thread since its kind of unrelated to the original issue but I couldnt message you for some reason.

Anyways, I went into those settings and read the help topics to the right, but it does not explain it enough. I kept getting an error message about the group policy settings in conflict. I then found this tutorial:

So the correct way to enfore PIN-only is:

Configure TPM startup: "Do not allow TPM"
Configure TPM startup PIN: "Require startup PIN with TPM"
Configure TPM startup key: "Do not allow startup key with TPM"
Configure TPM startup key and PIN: "Do not allow startup key and PIN with TPM"

^ Are those the correct settings order? Why would I set the TPM as Do Not allow TPM, I thought I would want to require the TPM, and adding a startup PIN was an additional security step on top of requiring the TPM?