When running a Powershell script via GPO to enable Bitlocker. "A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)"

We're moving towards using BitLocker for FDE to all of our users. Just got everything in GPO created, startup PowerShell script attached, and everything started moving fine in the initial testing of a few machines. Once I started to open that testing to a few more users, we started having a few issues.

Scenario #1: Machines that were being used in testing apparently had BitLocker already enabled but suspended as once the GPO was run on their devices, it encrypted immediately. When running manage-bde -status C: I found out that the drive was encrypted using "Used Space Only Encryption" and XTS-AES 128.

Scenario #2: Second set of machines that we opened up the testing to would not encrypt the drive. So when running get-bitlockervolume and manage-bde -status c: it shows the drive is fully decrypted and unlocked.

PS > get-bitlockervolume VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection Point                                   Percentage                           Enabled    Status ----------      ----- ---------- ------------           ---------- ------------              ---------- ---------- OperatingSystem C:        471.56 FullyDecrypted         0          {}                                   Off

PS > manage-bde -status c: BitLocker Drive Encryption: Configuration Tool version 10.0.26100 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: [Windows] [OS Volume] Size:                 471.56 GB BitLocker Version:    2.0 Conversion Status:    Fully Decrypted Percentage Encrypted: 0.0% Encryption Method:    None Protection Status:    Protection Off Lock Status:          Unlocked Identification Field: Unknown Key Protectors:       None Found

However, when it would run the GPO and the PowerShell script, it failed. I turned on logging and transcription, so I could figure out what the issue was. The GPO is running via Domain\System account, but failing due to a permissions error.

PS>CommandInvocation(Bitlocker_Encrypt_Workstation.ps1): "Bitlocker_Encrypt_Workstation.ps1" TpmReady : True RestartRequired : False ShutdownRequired : False ClearRequired : False PhysicalPresenceRequired : False

---

Windows PowerShell transcript start Start time: 20250828114453 Username: Domain\SYSTEM RunAs User: Domain\SYSTEM Configuration Name: Machine: GBO052L (Microsoft Windows NT 10.0.26100.0) Host Application: -ExecutionPolicy ByPass -File Bitlocker_Encrypt_Workstation.ps1 Process ID: 8380 PSVersion: 5.1.26100.4768 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.26100.4768 BuildVersion: 10.0.26100.4768 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1

---

PS>CommandInvocation(Out-String): "Out-String"

ParameterBinding(Out-String): name="InputObject"; value="A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)" Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522) At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2103 char:31

• ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...
• CategoryInfo : NotSpecified: (:) [Write-Error], COMException
• FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522) At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2103 char:31
• ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...
• CategoryInfo : NotSpecified: (:) [Write-Error], COMException
• FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522) At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2103 char:31
• ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...
• CategoryInfo : NotSpecified: (:) [Write-Error], COMException
• FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal PS>TerminatingError(Backup-BitLockerKeyProtector): "Cannot validate argument on parameter 'KeyProtectorId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again."

I even went as far as adding the Domain\System account to the GPO for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Act as part of the operating system" to which it still failed. If the script is run locally, everything works as designed.

Script:

#Initialize TPM
Initialize-Tpm
#Enable Bitlocker
Enable-BitLocker -MountPoint "C:" -RecoveryPasswordProtector -SkipHardwareTest
#Key upload to AD
$keyID = Get-BitLockerVolume -MountPoint c: | select -ExpandProperty keyprotector |
            where {$_.KeyProtectorType -eq 'RecoveryPassword'}
Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.KeyProtectorId

I am trying to find a common denominator first, of why our golden image machines are not exactly the same with how they are configured, and secondly why some are working and some are not, but with the same GPO and script.

I am sure that we're going to have to turn off BitLocker on all the devices that are using the "Used Space Only Encryption" to be able to turn on FDE, which I fear will then lead us into scenario #2, with the permissions issue.