none
BitLocker Recovery Key Prompt Issue in Windows 10 RRS feed

  • Question

  • We have several Lenovo E560 laptops deployed with Samsung EVO 850 SSD's and Windows 10 1709. These happen to have the Infineon (IFX) TPM chips and we have BitLocker full-drive encryption with eDrive (hardware encryption) enabled using UEFI/Secure Boot. The key protectors are TPM+USB key and Numeric PIN for recovery. They produce this message in the tpm.msc console:

    The TPM firmware on this PC has a known security problem. Please contact your PC manufacturer to find out if an update is available. For more information please go to https://go.microsoft.com/fwlink/?linkid=852572

    I read the article at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

    An issue has been occurring after the March 2018 Cumulative update installs (KB4088776) and Windows restarts. The OS drive prompts for the recovery key. No problem here as we enter it and the drive unlocks. However, in Windows, the Manage BitLocker console reports that BitLocker is turned off! Also the manage-bde -status confirms that the drive is fully decrypted and protection is off. 

    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: []
    [OS Volume]
        Size:                 465.21 GB
        BitLocker Version:    None
        Conversion Status:    Fully Decrypted
        Percentage Encrypted: 0.0%
        Encryption Method:    None
        Protection Status:    Protection Off
        Lock Status:          Unlocked
        Identification Field: None
        Key Protectors:       None Found

    From Diskpart:

    Partition ###  Type              Size     Offset
      -------------  ----------------  -------  -------
      Partition 1    Recovery           450 MB  1024 KB
      Partition 2    System             100 MB   451 MB
      Partition 3    Reserved            16 MB   551 MB
      Partition 4    Primary            465 GB   567 MB

    On the first laptop in which I encountered this, I tried to turn BitLocker back on, but on reboot during the check, it corrupted the Windows bootloader and put me in an automatic recovery repair loop. I was able to get out of the that, but the BitLocker recovery key prompt remained. Even clearing the TPM in Windows or manually from the BIOS doesn't resolve it. Also disabling the TPM in BIOS doesn't resolve it. What DID resolve it was deleting all the partitions and installing Windows from scratch.

    I then applied a TPM firmware update from Lenovo (updated these from 6.40 to 6.43), now Microsoft no longer reports the vulnerability and all is well.

    This took me many hours to diagnose and solve. Obviously, a complete Windows reinstallation is not the way to go and I have several other affected laptops waiting for a fix. But so far, I can't figure out what to do about clearing the BitLocker recovery key. I'd like to be able to do the following:

    1. Clear any keys or prompts and allow Windows to boot normally with no BitLocker prompts.

    2. Install the TPM firmware update.

    3. Re-enable BitLocker.

    4. Accomplish this without destroying the Windows installation or causing an OS reinstall.

    How can I remove the continual BitLocker recovery key prompting when Windows is reporting that it is not enabled and doesn't exist to begin with?

    Saturday, March 17, 2018 2:12 PM

All replies

  • I have seen an edrive bug of just that calibre before with a Samsung 850 EVO. It was frightening, to say the least. I have kept away from using hardware encryption ever since. The problem was not reproducible. Read that horror story here: https://www.administrator.de/wissen/erschreckende-erfahrungen-samsungs-self-encrypting-drive-bitlocker-283659.html

    (use browser translation features if needed).

    Saturday, March 17, 2018 5:29 PM
  • Thanks. I don't think this is related, but that is a horror-story.

    I resolved it, although not entirely to my satisfaction. Here's what I found:

    The OS volume is "BitLocker-corrupted". I suspect this was either due to the TPM vulnerability and then a Windows Update, or the installation of the Fall Creators Update, or both. To escape the Automatic Startup Repair boot loop, I booted from a Windows 10 flash drive I made, then entered the Command Prompt, then used this command to fix it:

    chkdsk /f c:

    The important text of the result was:

    The type of the file system is NTFS.
    The first NTFS boot sector is unreadable or corrupt.
    Reading second NTFS boot sector instead.
    Windows has made corrections to the file system.
    No further action is required.

    Now that I could boot into Windows, I confirmed that the Manage BitLocker control panel area said C: BitLocker off. I used a manage-bde -status command in command prompt and this was the result:

    Volume C: []
    [OS Volume]
    Size: 232.33 GB
    BitLocker Version: None
    Conversion Status: Fully Decrypted
    Percentage Encrypted: 0.0%
    Encryption Method: None
    Protection Status: Protection Off
    Lock Status: Unlocked
    Identification Ifled: None
    Key Protectors: None Found

    Next, I rebooted the and booted to the Windows 10 flash drive, then Repair then Command Prompt. I had to enter the BitLocker Recovery key to unlock the OS drive. In command prompt, I ran the manage-bde -status command and got this result:

    Volume C: []
    [Data Volume]
    Size: 232.33 GB
    BitLocker Version: 2.0
    Conversion Status: Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2
    Protection Status: Protection On
    Lock Status: Unlocked
    Identification Field: Unknown
    Automatic Unlock: Disabled
    Key Protectors: Numerical Password, TPM and Startup Key, External Key

    Notice the following differences between the status command in Windows and from the Windows 10 Recovery Environment:

    In Windows
    Reports that BitLocker is Off and that C: is the OS volume.

    In Windows RE
    Reports that BitLocker is On and that C: is a Data volume.

    From there, I issued a manage-bde -off c: command and it completed successfully. I could then boot into Windows 10 normally and turn on BitLocker on drive C: using the control panel. It passed the startup check at that point and made new keys.

    The casualty in this is that it would not allow hardware encryption and would only do software-based encryption. I tried a manage-bde -on c: -rp -tsk d:\ -fet hardware and got this error:

    An error occurred (code 0x803100b2): The drive specified does not support hardware-based encryption.

    The only way I know to re-enable the SED (hardware encryption) on the Samsung EVO 850 is to reinstall Windows. What a pain.

    Thursday, April 5, 2018 7:38 PM
  • Thanks for sharing your sights on this case. It will definitely benefit others who encounter the similar question as yours. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 10, 2018 12:28 PM
    Owner
  • Thanks. I don't think this is related, but that is a horror-story.

    I resolved it, although not entirely to my satisfaction. Here's what I found:

    The OS volume is "BitLocker-corrupted". I suspect this was either due to the TPM vulnerability and then a Windows Update, or the installation of the Fall Creators Update, or both. To escape the Automatic Startup Repair boot loop, I booted from a Windows 10 flash drive I made, then entered the Command Prompt, then used this command to fix it:

    chkdsk /f c:

    The important text of the result was:

    The type of the file system is NTFS.
    The first NTFS boot sector is unreadable or corrupt.
    Reading second NTFS boot sector instead.
    Windows has made corrections to the file system.
    No further action is required.

    Now that I could boot into Windows, I confirmed that the Manage BitLocker control panel area said C: BitLocker off. I used a manage-bde -status command in command prompt and this was the result:

    Volume C: []
    [OS Volume]
    Size: 232.33 GB
    BitLocker Version: None
    Conversion Status: Fully Decrypted
    Percentage Encrypted: 0.0%
    Encryption Method: None
    Protection Status: Protection Off
    Lock Status: Unlocked
    Identification Ifled: None
    Key Protectors: None Found

    Next, I rebooted the and booted to the Windows 10 flash drive, then Repair then Command Prompt. I had to enter the BitLocker Recovery key to unlock the OS drive. In command prompt, I ran the manage-bde -status command and got this result:

    Volume C: []
    [Data Volume]
    Size: 232.33 GB
    BitLocker Version: 2.0
    Conversion Status: Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2
    Protection Status: Protection On
    Lock Status: Unlocked
    Identification Field: Unknown
    Automatic Unlock: Disabled
    Key Protectors: Numerical Password, TPM and Startup Key, External Key

    Notice the following differences between the status command in Windows and from the Windows 10 Recovery Environment:

    In Windows
    Reports that BitLocker is Off and that C: is the OS volume.

    In Windows RE
    Reports that BitLocker is On and that C: is a Data volume.

    From there, I issued a manage-bde -off c: command and it completed successfully. I could then boot into Windows 10 normally and turn on BitLocker on drive C: using the control panel. It passed the startup check at that point and made new keys.

    The casualty in this is that it would not allow hardware encryption and would only do software-based encryption. I tried a manage-bde -on c: -rp -tsk d:\ -fet hardware and got this error:

    An error occurred (code 0x803100b2): The drive specified does not support hardware-based encryption.

    The only way I know to re-enable the SED (hardware encryption) on the Samsung EVO 850 is to reinstall Windows. What a pain.

    Hello,

    Same story here :

    • 1803 upgrade
    • Warning about TPM firmware to upgrade (but bitlocker had to be disabled before)
    • Checked bitlocker status to disable it and faced the same situation : status mismatch between Windows (already disabled ?!) and Windows RE (enabled) (actually 1803 like previous Win10 major upgrades is supposed to temporary disable bitlocker then re-enable it... but here we jumped into this weird situation where bitlocker was actually enabled but not recognized to be so in Windows 1803)
    • Disabled bilocker with hadware encryption in Windows RE ("manage-bde -off"). Then biltocker status was matching between Windows and Windows RE.
    • Successfully upgraded TPM firmware from 1.2 to 2.0 (provided by HP). No more TPM firmware upgrade alert in Win10 1803.
    • Tried to re enable Bitlocker but it refused to use eDrive hardware encryption. From now I have to use Bitlocker in software mode because the SSD is not anymore recognized as supporting hardware encryption.

    I also faced another case where 1803 upgrade ran successfully without Bitlocker status mismatch issue (was enabled in Windows 1803 like it was supposed to be). Again TPM FW warning. Disabled bitlocker, upgraded TPM FW, then re-enabled Bitlocker but again only available in software encryption.

    So it seems that eDrive/hardware encryption capability is not recognized anymore in Windows 10 1803 after disabling Bitlocker and upgrading TPM FW like advised...

    Is anyone able to report this situation to Microsoft and propose a solution to re enable hardware encryption ?

    Thanks,

    Denis.

    Wednesday, June 6, 2018 8:52 AM