Problem : Group Policy settings for BitLocker startup options are in conflict
I am unable to turn on BitLocker and get this error message in the wizard:
The Group Policy settings for BitLocker startup options are in conflict and cannot be applied.
This is on a Dell E6410 Windows 7 Ultimate with TPM. The laptop is joined to the domain which uses a mixture of 2003 SP2 and 2008 R2 DCs. I have placed the lapotp in a OU and configured a GPO for the OU according to Microsoft’s Best Practices for BitLocker in Windows 7 document ( http://technet.microsoft.c
Solution : Group Policy settings for BitLocker startup options are in conflict
One of the BitLocker policy settings configures whether BitLocker requires additional authentication each time the computer starts. The options are: TPM, TPM + PIN, TPM + Key, TPM + PIN + Key.
Look at the attached screenshot of the option dialog.
The description for the policy states that “Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.” The problem was that I had chosen the option to ‘Require TPM’ and the option to ‘Require Startup PIN with TPM’. I had to change the first option to be ‘Do Not Allow TPM’.
Now in my defense perhaps you can see how I may have been confused about this. The way the UI is set up it looks like there is one overall option to first choose if you want to use the TPM and then three additional options to choose if you want to use additional authentication (PIN, Key, or PIN+Key) along with the TPM.
But that’s not the case. I want to use the TPM and require the user to enter a PIN. So I must set the first option to ‘Do not allow TPM’ and the second to ‘Require startup PIN with TPM’. In my mind that is a contradiction but whatever; MS didn’t consult me when they designed the UI. :o)