Enabling Disk Encryption with BitLocker Via Powershell On the Operating System Drive (C:\)

Question

I hope somebody here has run into the same issue as myself.

Oddities running my Powershell script to enable Bitlocker, appears to get to 95% sometimes however most times it fails.

OS - Windows 10 Professional 1809 GPO - Running Microsoft's best practices

I've been reading multiple forums and Windows best practices for setting Bitlocker via Powershell, none seem to have the specific answer

Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -RecoveryKeyPath "Valid Path" -RecoveryKeyProtector

do 
{
    $Volume = Get-BitLockerVolume -MountPoint C:
    Write-Progress -Activity "Encrypting volume $($Volume.MountPoint)" -Status "Encryption Progress:" -PercentComplete $Volume.EncryptionPercentage
    Start-Sleep -Seconds 1
}
until ($Volume.VolumeStatus -eq 'FullyEncrypted')

####################################################################
"Valid Path" refers to a valid UNC path with valid credentials.

The output seems to come back with:

#################################################################
Enable-BitLockerInternal : Value does not fall within the expected range.
At C:\windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3733 char:48
+ ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Enable-BitLockerInternal

Answer 1

I believe this happens with self-encrypting drives using an encryption method below what is required by Group Policy.

My fix:

1.  manage-bde -off C:

2. Delete the files in C:\\Windows\\System32\\Recovery

3. Wait for it to decrypt

4. Re-run enable-bitlocker