Issue to enable BitLocker with a SID-Based Identity protector

Hi everyone,
I’m facing an issue enabling BitLocker with a SID-Based Identity protector.

Reading the documentation (, i’m trying to follow the example 3 :

Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes128 -AdAccountOrGroup “Western\SarahJones” -AdAccountOrGroupProtector

I just changed the EncryptionMethod by XTSAES256 and I get this error :

" To turn on BitLocker with a SID-Based Identity protector on this volume, you must provide at least one additional protector for recovery"

I don’t understand what is wrong…

Thanks a lot and regards

So, this is what we’d call a “problem,” not an “issue” :).

The difference is likely in how your volumes are configured - yours seem to want a Recovery Key. discusses some of the details of that.

Reading the full help for Add-BitLockerKeyProtector :
“Active Directory Domain Services (AD DS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector.”

It seems that AD DS account is not compatible with Operating System, the error with Enable-BitLocker seems indicate other thing.

Is there a way to implement TPM + AD DS account authentication to unlock OS volumes?

Thanks a lot,
Best regards

Sorry - I’m a PowerShell guy but not much of a BL expert.