BitLocker is giving an error when trying to re-add public certificates to unlock the volumes without the physical smartcard containing the private certificate connected to the station. The smartcards are already fielded to the team, and it'd be inappropriate to recall anyone for something like this, even under normal non-COVID conditions...
0x80310074 "Group Policy settings requires that you use a smart card-based key protector with BitLocker Drive Encryption."
I went straight to gpedit.msc, no relevant settings...went through a substantial portion of regedit, nothing there...
This rabbit hole has led me to think that the setting can be configured using PowerShell... Maybe somehwere in WMI Provider and Win32_EncryptableVolume class? It seems this is the setting I'm trying to find: "FVE_E_POLICY_USER_CERT_MUST_BE_HW"
Anyone know how to fix this so that I can re-add the certs without the smartcards connected?
References:
https://docs.microsoft.com/en-us/windows/win32/secprov/win32-encryptablevolume
https://devblogs.microsoft.com/scripting/powershell-and-bitlocker-part-2/
User contributions licensed under CC BY-SA 3.0