We encrypted all of our Windows 7 Clients with Bitlocker. Afterwords we locked down the workstations removable media with the GPO "All Removable Storage classes: Deny all access " When a user needs to use the CD drive to install an application we remove them out of the GPO and usually their CD drive doesn't work till I remove the CD drive from Device Manager and scan for new devices. When the CD drive gets reinstalled in the Device Manager the user can once again use the CD drive. Today however I needed to clone the harddrive to a new laptop. I first decrypted the harddrive and removed the computer from the GPO. Then I cloned it to the new laptop. Then I attempted to run Bitlocker to encrypt the drive. I got an Access Denied error when I tried to turn on Bitlocker. So I deleted the TPM and harddrive from the Device Manager since I thought that'd fix it since it fixes the CD drive. It didn't fix it. I then tried a bios update, factory defaulting the TPM. Neither of those worked. I then created a new OU and a new GPO that has a DENY setting for "All Removable Storage classes: Deny all access ", since I thought it'd clean up whatever the other policy may have changed. That didn't work either. I checked Group Policy Results and there's no Group Policies that could be causing Bitlocker not to launch, however we never had any of these problems with enabling Bitlocker or unlocking our CD drives till we started using this "All Removable Storage classes: Deny all access " policy. Is there any kind of fix or workaround? This seems like a serious bug. I've fixed it before by adding a new computer to the domain and never allowing the "All Removable Storage classes: Deny all access " from applying to the computer. We need that GPO for our domain to prevent employees from bringing in harddrives, USB drives, floppies, and burning CDs, and that GPO covers them all. Thanks for any help you could provide. Travis in San Diego.

Hi, Is it able to enable the Bitlocker when in workgroup? Does this issue occur only when the computer in domain? Please first check if the group policy in the following articles: http://technet.microsoft.com/en-us/library/dd875532(WS.10).aspx#BKMK_gpsettings http://technet.microsoft.com/en-us/library/ee424316(WS.10).aspx Also, please refer to the following blog to see if it helps: Access Denied Error 0x80070005 message when initializing TPM for Bitlocker Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How are you? I would appreciate it if you could drop me a note to let me know the status of the issue. If you have any questions or concerns, please feel free to let me know. I am happy to be of further assistance. :) Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the reply Sabrina. I checked out the links and our GPOs look good, I included the Bitlocker GPO below. I added the Delegation of Control to our OU and that didn't clear up the problem. I removed a test laptop from the domain and readded it to the domain and it still wouldn't encrypt. I then removed it from the domain and while off the domain it still wouldn't encrypt the drive. I ended up reinstalling Windows and adding it to the domain and then it'd encrypt. This isn't a working solution for live computers. Any suggestions? Thanks! ---- Group Policy Management bitlocker Data collected on: 6/23/2011 4:20:52 PM hide all Generalhide Detailshide Domain domain.corp.com Owner DOMAIN\Domain Admins Created 10/8/2009 2:11:56 PM Modified 9/29/2010 3:12:52 PM User Revisions 0 (AD), 0 (sysvol) Computer Revisions 16 (AD), 16 (sysvol) Unique ID {FBD34FFC-102E-4C6A-8D8C-18C1CBA5E999} GPO Status Enabled Linkshide Location Enforced Link Status Path Workstations No Enabled domain.corp.com/Workstations IT test No Enabled domain.corp.com/Workstations/IT test This list only includes links in the domain of the GPO. Security Filteringhide The settings in this GPO can only apply to the following groups, users, and computers: Name NT AUTHORITY\Authenticated Users Delegationhide These groups and users have the specified permission for this GPO Name Allowed Permissions Inherited ALIFE-DOMAIN\Domain Admins Edit settings, delete, modify security No ALIFE-DOMAIN\Enterprise Admins Edit settings, delete, modify security No NT AUTHORITY\Authenticated Users Read (from Security Filtering) No NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No NT AUTHORITY\SYSTEM Edit settings, delete, modify security No Computer Configuration (Enabled)hide Policieshide Windows Settingshide Security Settingshide Public Key Policies/Encrypting File Systemhide Certificateshide Issued To Issued By Expiration Date Intended Purposes bitlocker recovery CERT 9/29/2012 2:33:38 PM File Recovery admin CERT 6/25/2012 9:18:07 AM File Recovery For additional information about individual settings, launch Group Policy Object Editor. Public Key Policies/Trusted Root Certification Authoritieshide Propertieshide Policy Setting Allow users to select new root certification authorities (CAs) to trust Enabled Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only Administrative Templateshide Policy definitions (ADMX files) retrieved from the local machine. Windows Components/BitLocker Drive Encryptionhide Policy Setting Comment Choose default folder for recovery password Enabled Configure the default folder path: \\2008security\bitlocker Specify a fully qualified path or include the computer's environment variables in the path. For example, enter "\\server\backupfolder", or "%SecureDriveEnvironmentVariable%\backupfolder" Note: In all cases, the user will be able to select other folders in which to save the recovery password. Policy Setting Comment Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) Disabled Provide the unique identifiers for your organization Enabled BitLocker identification field: corp Allowed BitLocker identification field: corp Policy Setting Comment Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista) Enabled Require BitLocker backup to AD DS Enabled If selected, cannot turn on BitLocker if backup fails (recommended default). If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried. Select BitLocker recovery information to store: Recovery passwords and key packages A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords Key packages may help perform specialized recovery when the disk is damaged or corrupted. Windows Components/BitLocker Drive Encryption/Fixed Data Driveshide Policy Setting Comment Choose how BitLocker-protected fixed drives can be recovered Enabled Allow data recovery agent Enabled Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Allow 256-bit recovery key Omit recovery options from the BitLocker setup wizard Enabled Save BitLocker recovery information to AD DS for fixed data drives Enabled Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Enabled Windows Components/BitLocker Drive Encryption/Operating System Driveshide Policy Setting Comment Choose how BitLocker-protected operating system drives can be recovered Enabled Allow data recovery agent Enabled Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Allow 256-bit recovery key Omit recovery options from the BitLocker setup wizard Enabled Save BitLocker recovery information to AD DS for operating system drives Enabled Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled Extra Registry Settingshide Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management. Setting State Software\Policies\Microsoft\SystemCertificates\FVE\Certificates\601EF968C62DAB17FF01DEC63F0C673FA8B8BA58\Blob Unknown data format Software\Policies\Microsoft\SystemCertificates\FVE\Certificates\CBF80F43A8EEF39F6F3621D0E4E87D76486B8678\Blob Unknown data format User Configuration (Enabled)hide No settings defined.

Travis, 1. How do you enable bitlocker on the client? From control panel --> BitLocker Drive Encryption or by using a WMI script? 2. Can you also give me error message? 3. Open TPM Management Console (Start --> Run --> tpm.msc) and check the Status of TPM? What is the current status of TPM? 4. Have you given SELF write to the OU. See the blog which I wrote Access Denied Error 0x80070005 message when initializing TPM for Bitlocker 5. Also can you send me system logs from the client at manojsehgal@hotmail.com ThanksManoj Sehgal

Thanks, I'm emailing you right now Manoj. Sabrina could I send you the print screens and logs as well?

Travis, I looked at the system logs and can see that you were able to decrypt the volume. Try this: 1. Open TPM Management console and clear TPM and reboot the machine. 2. Once the machine is up, make sure that TPM is ON and ownership has been taken. Open elevated command prompt and then run the below command. > manage-bde -on c: -rp -s Let me know if this works or gives an error message. If this gives you an error message, please let me know the error message. Manoj Sehgal

Manoj, I am running into the same issue. TPM initializes OK, but I get an Access Denied when I attempt to start the Bitlocker encryption. When I run the manage-bde command suggested above, I get the following: ERROR: An attempt to access a required resource was denied. Check that you have administrative rights on the computer. The account I'm using is a domain admin on the domain in question. I've verified that the domain admins group in nested in the built-in administrators group on the system. Thanks, Steve

Manoj, I am running into the same issue. TPM initializes OK, but I get an Access Denied when I attempt to start the Bitlocker encryption. When I run the manage-bde command suggested above, I get the following: ERROR: An attempt to access a required resource was denied. Check that you have administrative rights on the computer. The account I'm using is a domain admin on the domain in question. I've verified that the domain admins group in nested in the built-in administrators group on the system. Thanks, Steve

Are you sure you are using elevated command prompt to run manage-bde command? Click Start -->Programs--> Accessories --> Command Prompt. Right click on command prompt and Slect Run as Administrator. Let me know if this works for you or not. Manoj Sehgal

Manoj, It turns out, I have the issue regardless of whether the laptop is on the domain or in a workgroup. I ran the command from an elevated cmd prompt and received the same error message. Thanks, Steve

try this which I have in my blog. http://blogs.technet.com/b/askcore/archive/2010/03/30/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspxManoj Sehgal