none
BitLocker requests encryption key at every boot

    Question

  • I have installed and set up BitLocker on a Sony VAIO with a TPM 1.2 chip. The drive has been fully encrypted. With BitLocker on, everytime the system boots I get the following message:

    Windows BitLocker Drive Encryption Information

    The system boot information has changed since BitLocker was enabled.

    You must supply a BitLocker recovery password to start this system.

    Confirm that the boot changes to this system are authorized.

    If the changes to the boot system are trusted, then disable and re-enable BitLocker. This will reset BitLocker to use the new boot information.

    Otherwise, restore the system boot information.

    ENTER=Continue 

    I have tried disabling and re-enabling Bitlocker (disable; reboot; enable; reboot) and get the same message. I have even tried disabling to the point of decrypting and then re-encrypting the whole drive. Neither apporach has worked. According to the BitLocker FAQ, one of the following should trigger the message I'm getting:

    Unauthorized changing of the BIOS, master boot record (MBR), boot sector, boot manager, or other early boot components would cause a failure in the integrity checks and keep the TPM-protected key from being released. This is by design because unauthorized modification of any of those components could and should be perceived as an attack. Of course, the BitLocker feature provides methods for authenticated system administrators to update these components if required.

    None of that has happened. Any suggestions?

    Thanks in advance.

    Monday, February 12, 2007 9:28 PM

Answers

  • When I tested it the setting didn't take effect unless I turned off bitlocker and decrypted the drive then turned it back on with the new setting applied.

    I forgot to mention in the last post too, open an administrative commmand prompt. (right click on CMD and click Run As Administrator) and type "gpupdate /force" this reloads the GPO. (it usually take a little while for them to refresh by default.)

    An earlier post in this thread states that you just need to apply the new PCR settings and reboot, but from my own testing you really do need to disable, decrypt, enable and encrypt with a new key. The only way I found to speed things up without having to wait for the drive to fully encrypt each time was to skip the test, and right away click on the pause encryption option in the ecryption dialog box. I would then perform my reboot test. I have to do it all again though. A reboot test and a hibernate test. It seems hibernating the workstaion also changes startup information on the computer that bitlocker doesn't like.

    Thursday, March 15, 2007 3:50 PM

All replies

  • WHat other software is on you system other then windows ?

    AV , disk utilities , and other stuff

    Tuesday, February 13, 2007 12:36 PM
  • Dear All

    I have the exact same problem with my Sony Vaio SZ1 with a TPM 1.2.

    I have performed a clean installof Vista.  I have not installed any additional software as I wanted to set up the TPM first.  On running the BitLocker setup wizard it runs the test to ensure that the computer will boot with the USB Flash device attached before encrypting.

    On restart I get the same error message as above and turning TPM off, reboot, TPM on reboot, makes no difference.

    Any thoughts on what to try?

    Sunday, February 18, 2007 9:00 AM
  • Same problem here with a Vaio SZ330P.

    Requests key on every boot.  Have tried everything MS suggests.

    Would love to hear if anyone finds a solution.

     

    Saturday, March 03, 2007 10:41 PM
  • did you wipe the hidden partion on the sony drive ?

    also what av are you running

    Tuesday, March 06, 2007 11:26 AM
  • I did wipe the hidden sony partition (followed the windows instructions to prepare drive in dos prior to installing vista).  This deleted the sony partition and created the two new partitions required as per instructions.

    AV - I have CA Anti virus (Californi Associates) - but am fairly certain that when I was trying to get bitlocker to work I had not yet installed any addiitonal software.

     

    Thanks

     

    Tuesday, March 06, 2007 12:08 PM
  • I have a SZ120P and I did a full wipe. I am using ESET's NOD32. I am trying to exclude boot file scans now...
    Tuesday, March 06, 2007 5:50 PM
  • Same for me. Sony VGN-TXN27N. I left the Sony recovery partition there and used the Vista Ultimate tool to repartition the drive. I naiively assumed if the tool ran without error then the partitioning was okay for bitlocker. Do folks think it is really necessary to remove the recovery partition?
    Friday, March 09, 2007 5:46 PM
  • Addendum to my previous post. Since the message implies the TPM has detected a boot path modification, I used group policy to modify the TPM Platform Validation Profile so that only PCR 11 is used. This appears to disable all checks and the system boots correctly without requiring a key from me.

    So now the question is, which of the default PCR indices (0, 2, 4, 8, 9 , and 10) are causing boot validation to fail.

    I can't tell if I can disable bitlocker and change the Platform Validation Profile, or whether I have to completely decrypt and re-encrypt to have the changes take effect. Does anyone know? If it's the former it'll be easy to find the culprit. I'm tired of these 5 hour experiments :(

    Saturday, March 10, 2007 1:38 AM
  • You don't have to have the entire hard drive encrypted to test that. Just start encrypting it, then pause encryption then reboot and test.
    Sunday, March 11, 2007 2:52 PM
  • I tested all of them.

    If I leave out "PCR 9:NTFS Boot Block " it boots up without the error message.

    If this solves your problem please post in thread.

    Thanks,

    Daniel

    Sunday, March 11, 2007 10:11 PM
  • Update:

    I hibernated the system, and now it's asking me for the key again :(

    This is getting rather tedious! back to testing each one....

    Monday, March 12, 2007 12:00 PM
  • I too am having the same problem with recovery at every reboot. I am using a Vaio SZ4 with TPM 1.2.
    Monday, March 12, 2007 1:31 PM
  • A couple of updates on this...

    I confirmed with someone at Microsoft that the PCR policy settings are re-read each time the disk is sealed, so you can disable/change/enable and the new settings are used.

    On my Sony VGN TXT27N I disabled all PCR settings except 11 and things worked fine. Then I enabled them one by one and still everything worked fine with the default profile (0, 2, 4, 8, 9, 10, 11). I'm not sure why, since initially I was getting the recovery screen with the default profile. Something clearly isn't quite right, but for now I have the defaults turned on and bitlocker is happy, even coming back from hibernation.

    Tuesday, March 13, 2007 2:04 AM
  • Mr Zebedee, I'd be really grateful if you could explain how to disable the PCR settings since I'd like to try this fix too. It's a real pain having to enter the bitlocker recovery key every reboot. Thanks
     Mr. Zebedee wrote:

    A couple of updates on this...

    I confirmed with someone at Microsoft that the PCR policy settings are re-read each time the disk is sealed, so you can disable/change/enable and the new settings are used.

    On my Sony VGN TXT27N I disabled all PCR settings except 11 and things worked fine. Then I enabled them one by one and still everything worked fine with the default profile (0, 2, 4, 8, 9, 10, 11). I'm not sure why, since initially I was getting the recovery screen with the default profile. Something clearly isn't quite right, but for now I have the defaults turned on and bitlocker is happy, even coming back from hibernation.

    Thursday, March 15, 2007 11:17 AM
  • Start Orb->Run (or in the search field)->gpedit.msc

    Drill down to Administrative Templates - Windows Components -Bitlocker Drive Encryption.

    in the right hand pane of the window click on "Configure TPM Platform Validation Profile"

    This has all the PCR settings.

    Thursday, March 15, 2007 2:23 PM
  • I tried disabling all PCR settings except 11 and I still get the recovery screen after a reboot :(

     

     Daniel N wrote:

    Start Orb->Run (or in the search field)->gpedit.msc

    Drill down to Administrative Templates - Windows Components -Bitlocker Drive Encryption.

    in the right hand pane of the window click on "Configure TPM Platform Validation Profile"

    This has all the PCR settings.

    Thursday, March 15, 2007 3:41 PM
  • When I tested it the setting didn't take effect unless I turned off bitlocker and decrypted the drive then turned it back on with the new setting applied.

    I forgot to mention in the last post too, open an administrative commmand prompt. (right click on CMD and click Run As Administrator) and type "gpupdate /force" this reloads the GPO. (it usually take a little while for them to refresh by default.)

    An earlier post in this thread states that you just need to apply the new PCR settings and reboot, but from my own testing you really do need to disable, decrypt, enable and encrypt with a new key. The only way I found to speed things up without having to wait for the drive to fully encrypt each time was to skip the test, and right away click on the pause encryption option in the ecryption dialog box. I would then perform my reboot test. I have to do it all again though. A reboot test and a hibernate test. It seems hibernating the workstaion also changes startup information on the computer that bitlocker doesn't like.

    Thursday, March 15, 2007 3:50 PM
  • I've had the same problem on a Vaio SZ2XP - get encryption key request at every boot.

     

    Don't suppose anyone has found a permanent solution to this problem?

    Monday, April 16, 2007 10:22 PM
  • Please make sure the VAIO is configured as such:
     
    1. TPM must be enabled in BIOS
    2. External Drive Boot must be enabled in BIOS.
    3. Change the Boot order in BIOS:
                    1. Internal Optical Drive
                    2. Floppy Disk Drive
                    3. Internal Hard Disk Drive    
                    4. USB Flash
                    Then the order of the remaining drives does not matter.


    Wednesday, June 06, 2007 7:55 AM
  • I tried this on my SZ2XP but it didn't appear to work.

     

    The laptop still requests encryption key at every boot.

     

    Sony have told me they won't support Bitlocker - so have almost given up on this one unless someone has found a way to get it working?

    Saturday, June 09, 2007 6:35 PM
  • First disable Bitlocker (do not decrypt!!!)

    2. take ownership of the TMP chip

    3. reboot

    4. Initialize TPM chip enter pswd on TMP chip 

    5. Enable Bitlocker

     

    drive is still encrypted and your tmp chip is loaded. and won't request keys on boot.

     

    regards.

     

    Patrick Veldboer

     

    Friday, June 15, 2007 12:58 PM
  • I am still having troubles getting this to work, but thanks for the advice. I'll post an update if I figure this out.

    wng

    Friday, July 20, 2007 6:57 AM
  • Hi,

     

    DO you have any updates on this? I too have the same problem.

     

    Saturday, December 01, 2007 7:17 PM
  • Hi Wordsun,

     

    Have you found a fix?  I am having the same problem.

     

    Sailor22

     

    Saturday, December 29, 2007 8:54 PM
  •  

    I asked Sony again if they had any plans to update their drivers/BIOS to accommodate BitLocker properly for the SZ2XP and they said "no plans at present".

    Tuesday, January 15, 2008 11:45 PM
  • have you chekc in the bios to make sure the TMP is turned on ?
    Thursday, February 11, 2010 12:02 AM
  • What has worked for me is:

    1.  Boot up
    2.  Go to Control Panel then BitLocker Drive Encryption
    3.  Click Suspend Protection
    4.  Click Enable Protection

    Rebooted and was all good.
    • Proposed as answer by VBalu987 Sunday, March 27, 2011 2:25 AM
    Friday, February 12, 2010 9:39 PM
  • Amazing... this worked for me too!

    Did try to reset the tpm password with the "bitlocker file" password,
    but all the time it kept asking for the key at boot.

    After suspend and resume protection, I restarted and it was gone!!

    Thnx Esvabas!
    Friday, March 05, 2010 6:33 PM
  • Hi Esvabas / Softgrid_applicator

    Which model of Sony Vaio are you using? Just tried this approach but still getting encryption key request at every boot...
    Mine is the SZ2XP.

    Friday, March 12, 2010 10:27 AM
  • Well I finally managed to get Bitlocker working properly on my Vaio VGN-SZ2XP by flashing the BIOS with one designed for a later (bitlocker compatible) SZ model. I'd just upgraded to Windows 7 Ultimate and Bitlocker was still requesting key at every boot..

    My inspiration was these threads which mention using a later SZ model BIOS on earlier SZ models.
    http://forum.notebookreview.com/showthread.php?t=118601
    http://forum.notebookreview.com/showthread.php?t=189228

    In my case I used BIOS version R0112N0 designed for the SZ440. Downloaded from here
    http://esupport.sony.com/US/perl/swu-download.pl?mdl=VGNSZ440&upd_id=2717&os_id=29
    Sony state this BIOS supports Bitlocker.

    The installer complained when I tried to run it that it's not for my notebook model. I got around that by extracting with Universal Extractor
    http://legroom.net/software/uniextract and ran the executable located in the TEMPEXEFOLDER folder.

    An anxious minute or so passed, the BIOS was flashed, the SZ2XP rebooted. I enabled bitlocker, encrypted the drive, rebooted - and NO MORE key request at boot time!

    I did this a few days ago and system has been fine since - of course using a BIOS not designed specifically for my model is a risk, but so far so good. And I have Bitlocker fully functioning. Very pleased.



    • Proposed as answer by rdmsmith Saturday, March 13, 2010 4:39 AM
    Saturday, March 13, 2010 4:39 AM
  • Same worked well here on an IBM Lenovo Laptop. Thanks bunches!

    Small sidenote: step 3 reads "Resume Protection" and not enable protection. Guess most can figure that out themselves though :)

    I have created a step by step tutorial including screenshots of how to accomplish this at:

    http://www.zomers.eu/knowledge/misc/Pages/Solve-having-to-enter-your-BitLocker-key-every-time-at-Windows-boot.aspx


    Monday, June 27, 2011 1:50 PM
  • What has worked for me is:

    1.  Boot up
    2.  Go to Control Panel then BitLocker Drive Encryption
    3.  Click Suspend Protection
    4.  Click Enable Protection

    Rebooted and was all good.

    This worked for me. thanks

    IBM X60 Windows 7 Ultimate SP1

    • Proposed as answer by Gaegan Wednesday, June 20, 2012 12:26 PM
    Thursday, March 29, 2012 12:17 PM
  • I have a user who was experiencing the same issue on a Windows 7 Enterprise SP1 Lenovo X201. Followed the procedure and rebooted several times just to make sure! :)

    Its all good now. Thanks a bunch for everyones help on these forums.

    Wednesday, June 20, 2012 12:30 PM
  • I just wanted to say thank you for this. I know it's been over 2 years since this was posted, but I was having this issue on my work PC and I did a search and found this. I got the encryption key from my IT department, but it was asking for the key request every restart. Doing  this saved my ass. Thank you, you are a life saver! 
    Friday, August 10, 2012 12:07 AM
  • Please note: when TPM asks for the recovery key, it even states BEFORE that you should enter the recovery key, THEN suspend and resume Bitlocker....

    (doesn't work for me, Win7 enterprise)

    I will try the PCR settings in gpedit...


    • Edited by bcluser Friday, August 10, 2012 7:48 AM
    Friday, August 10, 2012 6:28 AM
  • This worked for me as well.

    Lenovo X1 Carbon, Windows 8

    Monday, March 25, 2013 5:12 PM
  • in TPM administration just click suspend and enable and it works for me. Thanks

    Lenovo X220

    • Edited by jaice_p Friday, April 12, 2013 9:00 AM
    Friday, April 12, 2013 8:57 AM
  • This worked for me as well.  Thanks.
    Tuesday, April 23, 2013 4:14 PM
  • What has worked for me is:

    1.  Boot up
    2.  Go to Control Panel then BitLocker Drive Encryption
    3.  Click Suspend Protection
    4.  Click Enable Protection

    Rebooted and was all good.

    Thursday, June 06, 2013 5:07 AM
  • What has worked for me is:

    1.  Boot up
    2.  Go to Control Panel then BitLocker Drive Encryption
    3.  Click Suspend Protection
    4.  Click Enable Protection

    Rebooted and was all good.
    worked like a charm! thanks for making it straight forward! 
    Monday, July 14, 2014 5:21 AM