none
Windows 10 BitLocker and keyboard removal

    Question

  • Hello all and thanks in advance.

    We are testing the deployment of BitLocker on our Windows 10 machines.  Here is what we have been able to do:

    • Create group policy to set encryption of OS and fixed drives and disabled control on removable drives
    • Extend the AD schema so we can store the keys in AD
    • OS drives and fixed disks do encrypt and work correctly with TPM
    • Confirm the keys are stored and work to access the encrypted drives
    • Confirmed when a drive is removed and placed in a different workstation, the key is prompted for

    We are running 10 ver. 1607 on Lenovo equipment.

    What we have found that is failing is when a keyboard is unplugged.  When a system is powered on after having its keyboard remover, it prompts for the BitLocker key.  It does not happen when the mouse is removed.

    As some of our staff use laptops, this is an issue when they unplug their keyboards and leave to work from the road.  We have been unable to determine what GP will stop this action.

    I look forward to any suggestion you may have.

    Friday, April 14, 2017 4:46 PM

All replies

  • So you use tablets with detachable keyboards? When a TPM is used, hardware changes are detected and some lead to bitlocker recovery being triggered. You would need to turn off this detection which would make your system a little more unsafe, though. See https://social.technet.microsoft.com/Forums/en-US/170e94a8-6102-4aee-bfb8-bc3cfe26927e/what-is-the-real-risk-of-disabling-pcr-2-for-the-tpm-check?forum=mdopmbam
    Saturday, April 15, 2017 8:56 AM
  • Hi Ronald,

    Thank you for the reply.  In our situation, the keyboards in question are the standard Lenovo and Microsoft keyboards.  Both USB cabled with no USB hub built in.  In reference to your prior response to WBrady, the keyboard they were testing had a USB hub built in.

    I do understand what happens with a device plugged in that has the ability to be a storage device (plug in your USB cable and attach it to your phone and boot your computer); the TPM/BitLocker considers this a change in attached fix disks.

    But what is the difference between the mouse and the keyboard controllers that is triggering the TPM controller to "whine and complain" about the keyboard changing the system configuration?

    I have looked at the TPM.MSC.  I have found the TPM_PCRRead command.  How would I go about resetting the PRC2 component to be skipped if we find the risk acceptable.

    Again, thanks in advance.

    Monday, April 17, 2017 4:22 PM
  • Standard keyboards may not do this. You should contact Lenovo support and or MS support as this is buggy behavior.
    Monday, April 17, 2017 5:00 PM
  • Hi Ronald,

    Sorry for the late respond.  I appreciate the insight.  Thank you for confirming how I thought the functionality should work.

    For those checking this question, I will post what resolves this situation.

    Leo

    Tuesday, April 18, 2017 8:08 PM
  • Hi Leo,

    We have not heard from you in a couple of days. Please post back at your convenience if we can assist further.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 25, 2017 8:36 AM
    Moderator