none
Bitlocker and Thunderbolt Docks RRS feed

  • Question

  • We have been running into an ongoing issue of deploying Sophos Safeguard which manages Bitlocker to laptops that utilize Thunderbolt Docks.  

    We will begin by encrypting the PC while it is on the dock.  After it has completed encryption, we shut it down and remove it from the dock.  After it boots back up, it requires a recovery key due to a hardware change.   We enter the the recovery key and no more issues.  That is until the user docks on the thunderbolt dock.  It once again detects a hardware change and requests a recovery key.

    I then tried encrypting the laptop off the dock.  After it completes encryption, I shut it down and dock it.  Same issue.  

    Bitlocker is picking up the thunderbolt dock as a hardware change.  I found this link from Dell on how to disable the thunderbolt support.  
    http://www.dell.com/support/article/us/en/19/SLN304584/bitlocker-asks-for-a-recovery-key-every-boot?lang=EN

    This work around causes another set of issues.  Such as the monitors not working after the pc boots.  Does Microsoft have a fix for the Thunderbolt support?  Is it possible for Bitlocker to ignore the thunderbolt hardware change?

    Wednesday, February 22, 2017 6:59 PM

All replies

  • Hi John,

    BitLocker is designed to go into recovery mode when docking/undocking a portable PC.

    Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 23, 2017 6:35 AM
    Moderator
  • Is this being addressed to change this in the future?  Requiring the user to request a recovery key each time they undock is unacceptable.  At the same time, requiring companies to disable the thunderbolt technology is unacceptable.  

    Is there a work around to this without disabling the thunderbolt technology?

    Thursday, February 23, 2017 2:12 PM
  • Is this being addressed to change this in the future?  

    Is there a work around to this without disabling the thunderbolt technology?

    John,

    So far, no. It's against BitLocker security strategy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 8:17 AM
    Moderator

  • John,

    So far, no. It's against BitLocker security strategy.



    Karen_Hu,

    Would you happen to have more information on this decision or other documentation on this that I can provide to my leadership team?  

    Thanks,

    John

    Friday, February 24, 2017 7:47 PM
  • You can exclude PCR[02] from getting measured in BitLocker from Group policy.  Launch GpEdit.msc > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Configure TPM platform validation profile for native UEFI firmware configurations > Enable policy and exclude PCR 2

    After doing that you need to completely decrypt the OS drive or suspend and reboot.

    1. Manage-bde -protectors -disable C:

    2. Reboot

    Keep in mind that you are lessening BitLocker security by excluding PCR[02]


    ~~~~~~~~~~~~~~~~~~~~

    Saturday, February 25, 2017 4:06 AM
  • You can exclude PCR[02] from getting measured in BitLocker from Group policy.  Launch GpEdit.msc > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Configure TPM platform validation profile for native UEFI firmware configurations > Enable policy and exclude PCR 2

    After doing that you need to completely decrypt the OS drive or suspend and reboot.

    1. Manage-bde -protectors -disable C:

    2. Reboot

    Keep in mind that you are lessening BitLocker security by excluding PCR[02]


    ~~~~~~~~~~~~~~~~~~~~

    I just ran a test with this and it appears to work.  We are going to continue to test with it for a week or so until we deploy it to PCs that are having the issue.

    Thank you,

    Monday, February 27, 2017 5:07 PM

  • Karen_Hu,

    Would you happen to have more information on this decision or other documentation on this that I can provide to my leadership team?  

    Thanks,

    John

    John,

    Yes, please scan this official document's "What causes BitLocker to start into recovery mode when attempting to start the operating system drive?" section:

    BitLocker Drive Encryption in Windows 7: Frequently Asked Questions

    https://technet.microsoft.com/en-us/library/ee449438%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 1, 2017 5:41 AM
    Moderator