Microsoft Bitlocker - Recovery RRS feed

  • Question

  • I have recently deploy several new Dell's Latitude E5280 machines to my organization. This Dell's machine comes with Pre-Build Windows 10 Pro 64 bit and a TPM chip. I have finished deploy all machine and also setup Bitlocker. But suddenly on some laptop when it boot-up it shows Bitlocker Recovery Key. I didn't activate / run the command for forcing recovery for Bitlocker but it's just showing off. Please advise what should I do.

    Thanks so much.

    Tuesday, December 5, 2017 6:47 AM

All replies

  • Please verify: what version is your TPM module, is it 1.2 or 2.0 ("intel PTT"= TPM 2.0)?

    If 2.0, did you install Win10 as UEFI? You have to, otherwise the observed behavior is normal.

    Tuesday, December 5, 2017 8:34 AM
  • Hi Ronald,

    The TPM is 2.0. Correct I'm installing the Win10 as UEFI as of the BIOS settings.

    Do you have any suggestion about how to repair this without running the decryption and start the encryption process again?


    Tuesday, December 5, 2017 10:41 AM
  • Please confirm again: do you see an EFI partition in diskmgmt.msc? Mouse over would show "EFI System Partition", the size would be about 99MB.

    If there is one, please verify that the TPM protector is still in place. On an elevated command prompt, please launch:

    manage-bde -protectors -get c:

    If there is a TPM protector, please consult the system event log and let it display errors and warnings and search the current day for TPM errors and quote those.

    Tuesday, December 5, 2017 10:50 AM
  • Hi,

    yes. there is shown EFI System Partition.

    I have run the command manage-bde and this is how it shows

    As for this, I have to take a look in the event viewer for any TPM logs right?

    If there is a TPM protector, please consult the system event log and let it display errors and warnings and search the current day for TPM errors and quote those.

    Wednesday, December 6, 2017 11:00 AM
  • This is what it shown on system log

    "Bootmgr failed to unseal VMK using the TPM"

    after that it shows this on the event log

    "Bootmgr failed to obtain the BitLocker volume master key from the TPM."

    Please advise.

    Wednesday, December 6, 2017 11:15 AM
  • Yes, that were the log entries I was looking for.

    Hm, something is not right about your TPM. Could you please remove the TPM protector and re-add it?

    manage-bde -protectors -delete c: -type tpm

    manage-bde -protectors -add c: -TPM

    Wednesday, December 6, 2017 12:42 PM
  • Hi Ronald,

    This is what I get when try re-add the TPM

    What should I do?

    Monday, December 11, 2017 11:05 AM
  • Monday, December 11, 2017 11:56 AM
  • Hi Ronald,

    it still not working. I will try figuring out another way.

    thanks for the help.

    Tuesday, December 12, 2017 7:36 AM
  • Let us know what you find out.
    Tuesday, December 12, 2017 9:28 AM
  • Why do you said that the behavior is normal?

    Thank you

    Tuesday, January 15, 2019 9:08 AM
  • Hi Marco.

    If we use TPM as bitlocker protector and the TPM is a TPM 2.0, we need to install windows in UEFI partitioning. Else, the TPM will not release the key and the recovery key will be needed to unlock the drive each time the system starts. This does not happen with TPM 1.2, by the way.

    Tuesday, January 15, 2019 9:57 AM
  • Thank you Ronald for your clarification. In my case the customer has notebooks with TPM 1.2, after the pilot migration phase to Windows 10, 10% of computers required the recovery key a few days after the migration and the error is related to event ID 24635 (PCRs did not match). At this moment the root cause has not yet been identified.  
    Tuesday, January 15, 2019 3:01 PM
  • Hello!

    Could you try do the cmdlet below and restart machine.

    manage-bde -protectors -disable c:

    Tuesday, January 15, 2019 3:11 PM
  • Hi Rennan, the local support team already executed a set of activities post-issue. The real question is to identify what could be the cause of the issue
    Tuesday, January 15, 2019 3:42 PM
  • Marco, possible causes are:

    -firmware/Bios/UEFI updates of devices or device components (sometimes these ship with windows update in case you have a microsoft surface)

    -hardware changes

    -undocking a laptop (no kidding!)

    -changing the boot order

    -turning off secure boot

    These are the most common in my opinion.

    Wednesday, January 16, 2019 7:19 AM