question

defender2021-4303 avatar image
0 Votes"
defender2021-4303 asked ·

TPM v1.2 - No recovery key needed to reboot into safe mode ?

Hi Guys,

I have a Win 10 build 17763 lenovo machine that has a tpmv1.2 chip and os drive is bitlocked.

I am able to reboot the machine into safe mode without being prompted for a recovery key, whereas a colleague of mine has a TPM v2.0 machine and he is asked for a recovery key when booting into safe mode.

So it seems this could be a TPM version issue but could someone please confirm or point me to the documentation about this?

Thanks

windows-10-security
· 5
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I hope that you are aware that there's a difference between having a TPM and using it with Bitlocker.
I guess you have not used the TPM but a different type of protector (=password or USB stick) - then, no recovery key is being asked for (but of course, the pw or usb key is being asked for!).

0 Votes 0 ·

Thanks for your comment

I am not being prompted for usb or password either.

Volume C: [OSDisk]
[OS Volume]

 Size:                 229.60 GB
 BitLocker Version:    2.0
 Conversion Status:    Fully Encrypted
 Percentage Encrypted: 100.0%
 Encryption Method:    AES 256
 Protection Status:    Protection On
 Lock Status:          Unlocked
 Identification Field: Unknown
 Key Protectors:
     TPM
     Numerical Password
0 Votes 0 ·
MTG-6756 avatar image MTG-6756 defender2021-4303 ·

I agree with Jenny: Make sure that secure boot is active.

0 Votes 0 ·
Show more comments

Hi,

We have not get information from you for several days.

If the reply is useful for you, please accept as answer. It will be helpful to other members who have same questions.
If you have any other confuse, please reply to us directly.

0 Votes 0 ·
JennyFeng-MSFT avatar image
0 Votes"
JennyFeng-MSFT answered ·

@defender2021-4303
Hi,
I think it has something to do with whether you enable BitLocker.
BitLocker locks the drive if you go into safe-mode. That is a normal function to protect your data.
If you are not asked to enter a recovery key, you may not have BitLocker enabled.

The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.
For your reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq

Hope above information can help you.

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 4 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jenny

Thanks for your reply
Bitlocker is enabled, drive is fully encrypted with protector as TPM + Numerical password
See below

Volume C: [OSDisk]
[OS Volume]

 Size:                 229.60 GB
 BitLocker Version:    2.0
 Conversion Status:    Fully Encrypted
 Percentage Encrypted: 100.0%
 Encryption Method:    AES 256
 Protection Status:    Protection On
 Lock Status:          Unlocked
 Identification Field: Unknown
 Key Protectors:
     TPM
     Numerical Password


This seems to be a system bug.


0 Votes 0 ·

Hi,
You could go into the bios settings and enable secure-boot, then save the settings and reboot the system

0 Votes 0 ·

Hi Jenny

I tested again today with Secure-boot Enabled as you suggested (it was disabled before) but the result was the same.
Machine boots straight to windows login.


71412-153534.jpeg


0 Votes 0 ·
153534.jpeg (198.9 KiB)
Show more comments
JennyFeng-MSFT avatar image
0 Votes"
JennyFeng-MSFT answered ·

Hi,
How did you enable BitLocker? Have you stored the recovery key?
You can refer to the following link to confirm the difference between version TPM v1.2 and TPM v2.0
TPM and Windows Features
https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations
TPM v1.2 does not support Device Encryption.
Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10.

Hope above information can help you.

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey Jenny, it's enterprise-grade os and the key is escrowed to our mbam portal, which I already used after bios secure-boot update of the bios.

I have started a conversation via OEM support channel too.

0 Votes 0 ·

Hi,
Looking forward to your feedback, I think it has little to do with the version.
Also, please check the following gpo:
Computer configuration\Administration models\Windows components\BitLocker drive encryption\Operating system drives

Enable Require additional authentication at startup

Enable Enable use of BitLocker authentication requiring preboot keyboard input on slates

0 Votes 0 ·

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.

0 Votes 0 ·