I'm trying to enable BitLocker on my Windows 11 (24H2) machine using an elevated PowerShell console. I'm running the command 'Enable-BitLocker -MountPoint C: -RecoveryKeyPath D:key.txt -EncryptionMethod XtsAes256 -UsedSpaceOnly -RecoveryKeyProtector -Confirm:$false', but I keep running into an error. The internal function throws an exception, saying 'Add-ExternalKeyProtectorInternal: System could not find the path specified. (Exception from HRESULT: 0x80070003)'. My device is a 2013 Surface Laptop Go, and I'm not sure what's going wrong. Anyone got any ideas?
2 Answers
It seems like you're trying to save the recovery key on an external drive, but BitLocker typically uses a TPM protector for the C: drive. Storing the key on another disk doesn't really enhance security, and it can lead to issues like the one you're experiencing. Normally, recovery keys are stored in a more secure location, like the registry, especially when the drive is encrypted with TPM. Have you considered saving the key back on the C: drive instead?
You might be mixing up recovery keys and startup keys. If you have a TPM on your device, I’d recommend using that instead of an external USB drive for better security. The TPM can manage the keys for you without the need for a removable device.
Good point! I do have TPM, but I wanted a backup recovery key in case I need to access the drive from another machine. That's how I used to do it when enabling via the GUI. But I guess using TPM could simplify things.