question

gdu90-3129 avatar image
0 Votes"
gdu90-3129 asked GrayStrickland-1193 published

Bitlocker recovery key required every boot

I have a Win10 PC with Bitlocker protected OS drive C:, that has started to request the Bitlocker Recovery key be input upon cold boots, restarts, and resumes from hibernation even when no changes have been made to the hardware or to the selected UEFI boot device in-between. I have:

  • suspended and resumed Bitlocker protection from within Windows

  • cleared and reinitialized TPM through UEFI and again through CLI

  • decrypted and re-encrypted the drive.

None of the above restores the Bitlocker behaviour to the normal operation it previously had (ie. to requirement for Recovery key input on C: only if dual-booting from an external drive). Is there another known solution to attempt ?

If not, am I left to assume that either (1) the TPM is faulty, or (2) some hardware/firmware component of the PC is mis-reporting its identity to TPM each boot, or (3) something is incorrectly writing to GPT every shutdown. Is there another possibility that might be causing this behaviour ?

Thanks.

windows-10-security
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you checked the event viewer for log files related to BitLocker?
Do you see any relevant logs there?

0 Votes 0 ·

Thanks, and 'yes'. The logged error event sequence is 24680, 24635 and 24636 - in summary, that Bitlocker fails to obtain the volume master key due to non-matching PCRs. I understand this to mean that the TPM calculates upon re-boot/resume that the PC's hardware profile has been changed since the previous boot/initialization. Clearly, in each case here it hasn't been but that is what the TPM calculates, so refuses Bitlocker the VMK.

My suggestions 1, 2 and 3 were those I could think of as to why this incorrect calculation might happen. ! and 2 would be hardware/firmware issues and not fixable by a clean re-install of Win10. I don't want to attempt that if it's likely not to be the solution.

I should have added originally that the local group policy settings for PCR are "not configured", which I understand to be recommended for Win10 so the OS when initializing TPM can define which components to include in the PCR.

0 Votes 0 ·

I am way out of my understanding getting on here, but I too, have too put in that very long recovery key on every reboot, and at other odd times. I fully do not understand the BIOS update of where/how/what of that. Updates have been done, I don't make system changes and have, simply no idea why this thing is doing what this thing is doing. How do we turn this 48 number long code off for EVERY TIME I want to use my computer???????

Please, someone, help this schmuck. Please.


0 Votes 0 ·

Joedodger, in what you have written it is not clear whether you do want to use Bitlocker but find it is working incorrectly (ie. by requesting recovery key every boot) or whether you do not want to use Bitlocker.

  • If the former is the case, please look at the eventual solution I used and posted in the "April 23" comment below.

  • If the latter, there are instructions on how to turn off Bitlocker readily available by searching.


0 Votes 0 ·

Instead of entering your 48 digit key, press ESC, which takes you to another (similar) screen. At the new screen, enter the 48 digit key. This will alter the system and you'll never have to do it again.

181121-image.png


0 Votes 0 ·
image.png (912.9 KiB)

Instead of entering your 48 digit key, press ESC, which takes you to another (similar) screen. At the new screen, enter the 48 digit key. This will alter the system and you'll never have to do it again.

181121-image.png


0 Votes 0 ·
marianvulpe avatar image
0 Votes"
marianvulpe answered gdu90-3129 commented

Have you managed to find a solution for this? Facing similar issues on some computers, starting the current month (March, 2021).
BitLocker event log warning in one of the affected machines: "BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries"

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I resolved the issue with the following steps:

  1. made full system image (Macrium Reflect)

  2. removed BitLocker protection from drive C:

  3. removed TPM ownership info. through UEFI UI

  4. reinstalled ex-factory Win10

  5. reconfigured TPM ownership through UEFI UI

  6. reinstated BitLocker protection on drive C:

  7. restored system image.

It did not work first time through without the third step - after step 6, the new installation (as made at step 4) did not require the Recovery Key but the restored image after step 7 still did. When performed a second time through adding in step 3, it worked correctly for both the re-installed system and the restored image. (It is possible the difference isn't step 3 but actually just to have repeated the other steps for some reason.)

Hope this helps in your case.

0 Votes 0 ·
AliceYang-MSFT avatar image
0 Votes"
AliceYang-MSFT answered gdu90-3129 edited

Hi,

Could you please tell us your model?

Here is a KB from Dell Support which might help, BitLocker Asks for a Recovery Key Every Boot on USB-C / Thunderbolt Systems When Docked or Undocked.

Update your system's BIOS before proceeding, as some BIOS updates have implemented a fix for this issue.

Before you update the BIOS, please Suspend BitLocker protection.

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It's a Dynabook (Toshiba) Portege X30T-E rather than a Dell, unfortunately. The BIOS is up-to-date (last updated in November).

0 Votes 0 ·
Bagitman-1090 avatar image
0 Votes"
Bagitman-1090 answered gdu90-3129 commented

No, I am not talking about removing the TPM itself, but the bitlocker TPM protector.
You do it like this on an elevated command prompt:

manage-bde -protectors -delete C: -Type TPM

This assumes, you use TPM without a PIN, if you use it with PIN, use instead:
manage-bde -protectors -delete C: -TypeTPMAndPIN

Then re-add it:
manage-bde -protectors -add c: -tpm
(or manage-bde -protectors -add c: -TPMAndPIN)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, but that is already something I had tried and did not work.

0 Votes 0 ·
Bagitman-1090 avatar image
0 Votes"
Bagitman-1090 answered gdu90-3129 commented

Remove the TPM protector and re-add it again.
If that does not help, verify if the TPM is operating as TPM 2.0 and if yes, if the OS drive uses GPT partitioning (it has to, for TPM 2.0).

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks. Yes, it is TPM 2.0 and GPT on the OS drive.

By "remove the TPM protector and re-add it" do you mean remove it from Win10 use via Device Manager (and if so, how to re-add ?) or do you mean remove from boot procedure by changing something in UEFI ?

0 Votes 0 ·