You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The TestBitlocker function evaluates KeyProtectors and AutoUnlock status for given volume. If they do not match, the function returns $false and "Set" is executed.
If, however, KeyProtectors are configured correctly and AutoUnlock is in desired state, yet the volume is in "FullyDecrypted" state, TestBitlocker returns $True and the volume is not processed for encryption anymore.
This can happen more likely for OS volume: the volume is attempted to be encrypted by EnableBitlocker, but call to Enable-Bitlocker fails for whatever reason, the resource fails as expected. But the KeyProtectors are already in place and not removed upon failure and therefore subsequent configuration runs will evaluate Test as $True and skip Set.
Repro:
Try to use xBLBitlocker to encrypt OS volume in Hyper-V VM with Dynamically Expanding disks and no UsedSpaceOnly specified (I used TPM and RecoveryPassword protectors and had "Full Encryption" set in GPO). First attempt fails with "BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage. (Exception from HRESULT: 0x803100A5)". Subsequent runs will skip Set and report success, yet the volume never gets encrypted.
Suggested fix:
TestBitlocker should test "VolumeStatus" of given Bitlocker volume. If the status is "FullyDecrypted", it should return $false.
The text was updated successfully, but these errors were encountered:
… is present (#16)
- Fixed issue which caused Test-TargetResource to incorrectly succeed on fully
decrypted volumes when correct Key Protectors were present (issue #13)
The TestBitlocker function evaluates KeyProtectors and AutoUnlock status for given volume. If they do not match, the function returns $false and "Set" is executed.
If, however, KeyProtectors are configured correctly and AutoUnlock is in desired state, yet the volume is in "FullyDecrypted" state, TestBitlocker returns $True and the volume is not processed for encryption anymore.
This can happen more likely for OS volume: the volume is attempted to be encrypted by EnableBitlocker, but call to
Enable-Bitlocker
fails for whatever reason, the resource fails as expected. But the KeyProtectors are already in place and not removed upon failure and therefore subsequent configuration runs will evaluate Test as $True and skip Set.Repro:
Try to use xBLBitlocker to encrypt OS volume in Hyper-V VM with Dynamically Expanding disks and no UsedSpaceOnly specified (I used TPM and RecoveryPassword protectors and had "Full Encryption" set in GPO). First attempt fails with "BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage. (Exception from HRESULT: 0x803100A5)". Subsequent runs will skip Set and report success, yet the volume never gets encrypted.
Suggested fix:
TestBitlocker should test "VolumeStatus" of given Bitlocker volume. If the status is "FullyDecrypted", it should return $false.
The text was updated successfully, but these errors were encountered: