Fix FVE_E_SECURE_KEY_REQUIRED (0x80310007) BitLocker error

What's this error?

You're trying to enable BitLocker on a drive—maybe a USB stick or a secondary internal disk—and Windows hits you with error 0x80310007. The exact message: No secure key protection mechanism has been defined. Translation: BitLocker can't find a key protector (like a TPM or password) to lock the drive. This usually happens on systems where the TPM (Trusted Platform Module) isn't initialized or is disabled in firmware.

I've seen this crop up most often after a BIOS update or when migrating a drive to a new PC. If you're on a laptop from Dell or Lenovo from 2018-2020, the TPM might be there but sitting idle.

Important: Don't panic. This fix is straightforward. We'll start with the simplest option (30 seconds) and work up.

The 30-second fix: Add a TPM protector via command line

Open an elevated Command Prompt (Windows key → type 'cmd' → right-click → Run as administrator). Then run this:

manage-bde -protectors -add C: -tpm

If your system drive is C:, that's it. This tells BitLocker to use the TPM chip as the key protector. You should see a success message like:
Added TPM protector.

Now try enabling BitLocker again via Control Panel or the Settings app. If it works? You're done. If you get another error, move to the next step.

Why this works: BitLocker needs at least one protector before it can encrypt. Many users accidentally skip this step when the TPM isn't auto-detected.

The 5-minute fix: Enable TPM in BIOS and initialize it

If the command above fails or reports TPM not found, the TPM is likely disabled in your system's BIOS/UEFI.

1. Reboot and press the key to enter BIOS setup (usually F2, Del, or F10 on older systems).
2. Look for Security or Trusted Computing settings. On many HP and Dell machines, it's under Security → TPM or TPM Device.
3. Set TPM to Enabled (or Available). If you see options like 'Firmware TPM' or 'Discrete TPM', pick the one that matches your hardware—firmware TPM is fine for most modern CPUs (Intel 8th gen and newer).
4. Save and exit (usually F10).

Once back in Windows, check if the TPM is recognized:

tpm.msc

You should see TPM Manufacturer and Specification Version. If it says Compatible TPM cannot be found, double-check your BIOS changes.

Now run the command from the 30-second fix again:

manage-bde -protectors -add C: -tpm

If it succeeds, enable BitLocker. If it still fails, your TPM might need clearing—but that's a last resort.

The advanced fix (15+ minutes): Decrypt, clear TPM, and re-encrypt

Sometimes the TPM is enabled but in a bad state (e.g., corrupted keys or after a motherboard swap). Clearing the TPM resets it to factory defaults.

1. Back up any data on the drive you're trying to encrypt—this step will wipe any partial encryption state.
2. Open Settings → Update & Security → Device Security (Windows 10/11). Click Security Processor Details → Clear TPM. You'll need to restart.
3. Alternatively, use the command:

   tpm.msc

   then in the right pane click Clear TPM. Reboot.

After reboot, the TPM is reset. Now we need to decrypt the drive if BitLocker already left it in a messy state:

manage-bde -off C:

This decrypts the drive. It can take a while—let it finish. You can check progress with:

manage-bde -status C:

Once Percentage Encrypted shows 0%, you're decrypted. Now add the TPM protector again:

manage-bde -protectors -add C: -tpm

Finally, enable BitLocker:

manage-bde -on C:

This should work. If not, you might need a password protector instead—use -rp for a recovery password, but that's a different workflow. For 99% of cases, the above resolves it.

One last thought

If you're still stuck after all this, check that your Windows version supports BitLocker (Pro, Enterprise, or Education—Home doesn't). Also, some SSDs with a built-in hardware encryption layer can conflict with BitLocker. Disable that in the drive's utility software (like Samsung Magician) and retry.

I know this error is infuriating—especially when you're just trying to secure a drive. Start with the command, check BIOS, and only nuke the TPM as a last resort. You got this.