I'm having problems initializing BitLocker on Windows 7 Enterprise X64 on some Dell Latitude Laptops (Broadcom TPM 1.2). I'm using the build in Windows drivers as recommended and the latest BIOS version from Dell. I can initialize the TPM/set the owner password but Bitlocker always throws this error at the Initializing Drive section: Access Denied I though that maybe I had configured group policy incorrectly so I've rebuild one of the laptops off the domain/left all the default settings but I still have this issue. I can encrypt external drivers on the same laptop when not using TPM. Is there any way to proceed from here/does BitLocker log anywhere else? Many thanks.

Hi, To troubleshoot the issue, please perform the following steps. 1. Modify the “Choose how BitLocker-protected operating system drives can be recovered” policy is disabled. You can locate the policy under the following path. Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives 2. Assure the current user profile has administrator privilege to turn on BitLocker and modify group policy. If the issue persists, please create a new admin user account for a test. 3. If the machine is built by SCCM, please refer to the following article: Access Denied Error 0x80070005 message when initializing TPM for Bitlocker Thanks, Novak

In the end I was able to encrypt the laptop after rebuilding the laptop and configuring BitLocker using local group policy settings. I was able to back everything to AD. However when I configured a GPO and apply it at AD level and go to "Manage Bitlokcer" I get: BitLocker Drive Encryption Error: Cannot Run. Access is denied. Which looks like the same error? I've tried to disable “Choose how BitLocker-protected operating system drives can be recovered” but that didn't help. The user is a Domain Admin/so it should work. I also can't change the TPM PIN using Manage-BDE: Error: An attempt to access the requred resource was denied. It did seem to stop working when the computer was moved in AD/suggesting there's a Group Policy setting somewhere or that permissions are not being correctly propagated?

I think I've narrowed down the problem to a conflict with this setting: "All Removable Storage Classes: Deny all access" We don't want to use a USB key for backup so I'm not sure why it would be able problem? Is the TPM treated as a storage class?

Hi, These removable storage access policies do not affect software that runs in the System account context, such as the ReadyBoost technology in Windows. However, any software that runs under the security context of the current user might be affected by these restrictions. For example, if the Removable Disks: Deny write access policy setting is in effect for a user, even if that user is an administrator, then the BitLocker setup program cannot write its startup key to a USB drive. You might want to consider applying the restrictions to only users and groups other than the local Administrators group. For more information, please refer to the link below: http://technet.microsoft.com/en-us/library/cc731387(WS.10).aspx Regards, Novak