none
No BitLocker Recovery Key prompt when Secure Boot was Disabled RRS feed

  • Question

  • I went into my UEFI settings to disable Secure Boot as I needed to test some programs and when rebooting my laptop, it went directly to the Windows logon screen without asking for the BitLocker Recovery key.

    My system firmware settings are set to UEFI with no Legacy Mode

    Boot order is set to boot from Windows Boot Mgr first 

    Secure Boot shows that it is enabled in Windows 10 OS 

    TPM version is 1.2 and set as Ready for use under TPM.MSC console.

    My laptop is a Dell E6440 with latest BIOS/Firmware update.

    When I perform the following command, Manage-bde -protectors -get %systemdrive% I get a result below:

    PCR validation profile says PCR 0, 2, 4, 11 and not PCR 7, 11 (Uses Secure Boot for integrity validation)

    Did some more research under the EventViewer as shown below and ran across some of these log entries:

    * BitLocker cannot use Secure Boot for integrity because it is disabled.
    * BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.
    * BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

    My goal is to have BitLocker ask for the Recovery Key when Secure Boot is disabled. 


    • Edited by AS.Bowen Tuesday, April 9, 2019 6:19 AM
    Tuesday, April 9, 2019 6:17 AM

All replies

  • Please set your TPM chip to tpm 2.0 (or "Intel PTT", whatever Dell calls it) and retry.
    Tuesday, April 9, 2019 9:40 AM
  • Does not exist in my UEFI Firmware. Any other ideas?
    Tuesday, April 9, 2019 9:44 AM
  • Alright, then it's too old to have a TPM 2.0 (according to Dell sources, the processor would need to be of the intel skylake generation or newer, while e6440 has a haswell CPU).

    I am not sure if this even works without 2.0 (only saw it working myself with TPM 2.0).

    Tuesday, April 9, 2019 9:51 AM
  • This still seems strange since BitLocker should of asked for the Recovery Key whenever Secure Boot is disabled even if TPM version is 1.2. My laptop is a bit outdated, correct, but BitLocker should still ask for the Recovery Key especially when disabling Secure Boot. 

    If anymore ideas or suggestions come to mind, please post them.


    • Edited by AS.Bowen Tuesday, April 9, 2019 10:17 AM
    Tuesday, April 9, 2019 10:16 AM
  • And you already tried to change the PCR validation profile?
    Tuesday, April 9, 2019 10:42 AM
  • Tried the Group Policy settings and did not work. After Secure Boot disabled, no BitLocker Recovery Key prompt.

    Allow Secure Boot for integrity validation = Enabled

    Configure TPM platform validation profile for native UEFI firmware configurations = Checked PCR7

    Any more to check or try? 

    Tuesday, April 9, 2019 12:55 PM
  • Let's verify the output of

    manage-bde c: -protectors -get

    (delete your recovery key before pasting it)

    Tuesday, April 9, 2019 12:58 PM
  • manage-bde c: -protectors -get c:
    0, 2, 4, 11

    It should be an output of this:
    PCR 7, 11 (Uses Secure Boot for integrity validation)

    Under MSINFO32, I see there PCR7 (Binding Not Possible)



    • Edited by AS.Bowen Tuesday, April 9, 2019 1:12 PM
    Tuesday, April 9, 2019 1:10 PM
  • So please remove the TPM protector and add it again and see if it gets the expected 7,11, then.
    Tuesday, April 9, 2019 1:11 PM
  • If I remove the TPM protector, wouldn't that disable BitLocker?

    And do you need me to re-add those Group Policies again as I set them back to as Not Configured?

    Tuesday, April 9, 2019 1:29 PM
  • No, it wouldn't.

    Yes, re-apply the GPO before you re-add the TPM-protector.

    Tuesday, April 9, 2019 1:36 PM
  • Ok, I got it.

    PCR Validation Profile:
    0, 2, 4, 7, 11

    However, the result is missing the  (Uses Secure Boot for integrity validation)

    Tuesday, April 9, 2019 1:41 PM
  • So when you re-applied the TPM protector, was secure boot on or off? I would expect that it needs to be on while applying.
    Tuesday, April 9, 2019 1:42 PM
  • Its On. Should I disable Secure Boot to see if I get the recovery key?
    Tuesday, April 9, 2019 1:45 PM
  • Worth a try.
    Tuesday, April 9, 2019 1:50 PM
  • No luck...

    It should say from the command (Uses Secure Boot for integrity validation). Or, maybe I should remove PCRs 0, 2, 4 and only leaving PCRs 7, 11? Let me know what else to try, will check on this later on. Thanks.

    • Edited by AS.Bowen Tuesday, April 9, 2019 2:07 PM
    Tuesday, April 9, 2019 2:00 PM
  • Tuesday, April 9, 2019 2:09 PM
  • Correct, I did already. Looks like my system is a bit outdated for this to be achieved unless you need me to check and try other things. 
    Tuesday, April 9, 2019 2:20 PM
  • No further ideas, sorry. I must confess I never bothered to check all systems whether the recovery key prompt gets indeed invoked by fondling toggling secure boot on/off.

    You should set it to on now, then set a bios password and that's that.

    Tuesday, April 9, 2019 2:22 PM
  • This brings me to my next question. Do I really need to set a BIOS/UEFI password in order to protect my data?

    Since I have BitLocker encryption already, will an attacker still be able to read the contents of my data even if I do not set a BIOS/UEFI password? All I care about is my data on the hard drive. 

    So if Secure Boot can be disabled in the UEFI, can the data on the hard drive still be read even if my system is encrypted with BitLocker?

    • Edited by AS.Bowen Tuesday, April 9, 2019 2:54 PM
    Tuesday, April 9, 2019 2:51 PM
  • I remember having discussions about "am I really (really really) protected?" with you before :-)

    You wanted a measure to prevent changing secure boot to: off and that is a bios password. If you don't want to set a bios password, so be it, but you lose that prevention.

    ->Can someone that is able to boot his own USB based OS read your bitlocker drive? - Of course not!

    ->So why would we want a bios pw in the first place? - usually, I never set one. This was just for your case here. if we have bitlocker with TPM+PIN, we have PBA, so the encryption key will not get to RAM without the PIN, so booting from another medium is totally useless for an attacker.


    Tuesday, April 9, 2019 3:03 PM
  • In my case, I have TPM-only protection. So in this case, can an attacker still read the contents of the hard drive with BitLocker TPM-Only protection if the attacker manages to disable Secure Boot? 

    Just want to remember less passwords/PINs, that is why I am asking. But with that being said, of course, one cannot balance security over convenience.

    And, I know there are DMA attacks and the attacker can just even pull out the hard drive as well.

    But for now, I only need to know that if Secure Boot was to be disabled by going into the UEFI settings without a UEFI password, can the attacker still read the contents of the BitLocker encrypted hard drive even if they try and boot with a malicious operating system or software?





    • Edited by AS.Bowen Tuesday, April 9, 2019 3:17 PM
    Tuesday, April 9, 2019 3:10 PM
  • You should read about the term "evil maid attack", which "secure boot" prevents. If you are aware that this attack type is possible and you are not afraid of it, leave all as is. If you are afraid of it, set a bios password or a TPM PIN and be happy. https://en.wikipedia.org/wiki/Evil_maid_attack

    Tuesday, April 9, 2019 3:17 PM
  • As for my system not being able to work with Secure Boot Integrity, hopefully my next machine in the future would have this feature enabled by default. Until then, will set a BIOS password. Thank you for the help.

    Just a thought, maybe its worth trying to disable BitLocker and then apply those GPOs again and then re-enable BitLocker again.  Maybe the settings did not take effect due to BitLocker being already enabled.




    • Edited by AS.Bowen Tuesday, April 9, 2019 3:37 PM
    Tuesday, April 9, 2019 3:28 PM
  • My goal is to have BitLocker ask for the Recovery Key when Secure Boot is disabled. 

    Please note that BitLocker and Secure Boot are not related each other. They work independently.

    Do not forget, that BitLocker is an offline protector only. BitLocker can only protect your data if your laptop has been stolen or lost. It does not protect you from network attacks that occur more often.

    Tuesday, April 9, 2019 3:49 PM
  • Correct, by default it doesn't. However, there are various Group Policies that can be set to invalidate the TPM when Secure Boot is disabled. 

    When performing the following command, I do not get the below results. 

    Manage-bde -protectors -get %systemdrive%
    PCR 7, 11 (Uses Secure Boot for integrity validation)





    • Edited by AS.Bowen Tuesday, April 9, 2019 3:59 PM
    Tuesday, April 9, 2019 3:57 PM
  • "not related" - it is a recommended practice against the foresaid "evil maid attack", so it is directly related to bitlocker, although, of course, it is not a requirement.
    Tuesday, April 9, 2019 4:00 PM
  • BitLocker can be used in conjunction with Secure Boot if certain GPOs are set for it.

    From the link page below:

    https://www.rootusers.com/enable-bitlocker-to-use-secure-boot-for-platform-and-bcd-integrity-validation/

    Setting it explicitly to enabled, or otherwise not configuring it at all (this is the default), BitLocker will use Secure Boot for platform integrity if the platform is capable of Secure Boot based integrity validation.

    Is this policy is set and Secure Boot is disabled, it should invalidate the TPM and BitLocker would ask for the recovery key.




    • Edited by AS.Bowen Tuesday, April 9, 2019 4:08 PM
    Tuesday, April 9, 2019 4:03 PM
  • Correct, by default it doesn't. However, there are various Group Policies that can be set to invalidate the TPM when Secure Boot is disabled. 

    When performing the following command, I do not get the below results. 

    Manage-bde -protectors -get %systemdrive%
    PCR 7, 11 (Uses Secure Boot for integrity validation)

    Ok, I got you point. Please give a bit time to find it out.
    • Edited by Anahaym Tuesday, April 9, 2019 4:11 PM
    Tuesday, April 9, 2019 4:11 PM