none
bitlocker fails at boot RRS feed

  • Question

  •  

    Bitlocker considers docking and undocking from a dell docking station as a change in configuration and requires the key.  Any one else having this problem?

     

    Any suggestion?

    Saturday, December 1, 2007 4:58 AM

Answers

  • The most acceptable workaround I have found is actually the opposite.  Build the configuration key with the machine undocked and then save the key to a USB drive.  Then plug the USB drive into the docking station and just leave it there. 

     

    This way as long as your office is physically secure you are OK, but you will definitely be protected on the road which was my main concern should a hard drive be stolen.

     

    I state this with the fact that I believe bitlocker should have been designed to work with docking stations and laptops.  Extremely short-sighted in my view.

     

    Friday, December 14, 2007 1:38 PM

All replies

  • Hi,

     

    If you use BitLocker Drive Encryption on a computer that has the Trusted Platform Module (TPM) security hardware (a special microchip in some newer computers that supports advanced security features), version 1.2 or higher, the TPM checks the system during startup for conditions that could indicate a security risk. These conditions could include disk errors, changes to the basic input/output system (BIOS) , changes to other startup components, or evidence that the hard disk is being started in a different computer.

     

    If the TPM detects such a condition, BitLocker will not unlock the drive with Windows installed on it and will enter a recovery mode that requires the BitLocker recovery password to unlock it.

     

    Notes

    Some BitLocker features and settings can be enabled by Group Policy settings.

     

    Assistive technology software that runs on Windows, such as screen reading software, cannot read BitLocker startup screens because they are displayed during BIOS startup and before Windows runs. This includes screens used when you type a PIN or recovery password, and any BitLocker error messages.

     

    Additional Reference

    Windows BitLocker Drive Encryption Step-by-Step Guide

    http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true

     

    Windows BitLocker Drive Encryption Frequently Asked Questions

    http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true

     

    Hope it helps.

    Thursday, December 6, 2007 6:24 AM
  • I appreciate the response.  I may be missing it, but I am not seeing anything here that addresses the problem.  I understand how bitlocker fails.  The problem here is that it is flagging a dock/undock as a change in configuration.

     

    Let me know if I missed the answer to my problem in the response.  I had already read all the various guides and links and didn't see anything anywhere concerning a docking station.

     

    To me, a laptop would be the prime candidate for bitlocker, so I would think it would be able to accomodate a dock/undock without triggering a change event.

    Thursday, December 6, 2007 1:29 PM
  • Hi,
     
    I'm not well know about dell docking station,maybe something we have missed.
     
    I recommend you to contact dell support to get more information on PC booting with dell docking station.
     
    Thanks for your understanding.
    Friday, December 7, 2007 2:25 AM
  • Why would Dell have to support a MS product?  there is not a problem with the PC booting on the docking station, the problem is with Bitlocker thinking the docking station is a new pc.

     

    Thursday, December 13, 2007 1:22 PM
  • Hi,
     
    Thanks for your post!
     

    Regarding the issue of Bitlocker requiring the pass key on inserting a notebook into a docking station is something I think is by design as it is a hardware change to the system. BitLocker is designed to keep system data secure if there is a hardware change on the system, a docking station is considered a hardware change when attached to a notebook.

     

    BitLocker does not support laptops with docking stations that use options ROMs.

     

    I find a work-around for this issue. It would make sense that building the image in a docked configuration would keep BitLocker from detecting a new/Added hardware device to the machine when inserting it into the docking station.

     

    Also you can follow the below steps to temporarily disable BitLocker or decrypt the BitLocker-protected volume.

    1.    You must be logged on as an administrator.

    2.    Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

    3.    From the BitLocker Drive Encryption page, find the volume on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker Drive Encryption.

    4.    From the What level of decryption do you want dialog box, click either Disable BitLocker Drive Encryption or Decrypt the volume as needed.

     

    Hope it helps.

     
    Friday, December 14, 2007 8:08 AM
  • The most acceptable workaround I have found is actually the opposite.  Build the configuration key with the machine undocked and then save the key to a USB drive.  Then plug the USB drive into the docking station and just leave it there. 

     

    This way as long as your office is physically secure you are OK, but you will definitely be protected on the road which was my main concern should a hard drive be stolen.

     

    I state this with the fact that I believe bitlocker should have been designed to work with docking stations and laptops.  Extremely short-sighted in my view.

     

    Friday, December 14, 2007 1:38 PM
  •  
    Thanks for your's sharing experience here.
     
    It would be helpful to others who may has the same problem in the future.
    Monday, December 17, 2007 3:19 AM
  • I am having the same problem on a Lenovo X200 tablet.  After adding a multi-writer DVD to my docking station I started getting prompted for the bitlocker key on docked boot.  I followed instructions to suspend bitlocker, make changes, then resume.  Now get prompted for bitlocker key when booting undocked.

    This Technet article covers the issue.

    http://technet.microsoft.com/en-us/library/ee449438%28WS.10%29.aspx

    in the section titled:

    What causes BitLocker to start into recovery mode when attempting to start the operating system drive?

    "Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker."

    The article does not offer any solution.

    Tuesday, March 30, 2010 2:44 PM
  • I had the same problem at my Company and here is what I did to correct the issue.

    1. Suspend Bitlocker

    2. Reboot into the bios settings

    3. Removed the cd rom drive from the boot priority list

    4. Rebooted and enabled bitlocker again

     

    So far no issues and the x200 boots fine docked or undocked. I assume you can do this with other devices that cause issues but have not tried.

     

     

    • Proposed as answer by Hyacinthus Wednesday, August 25, 2010 4:17 AM
    Tuesday, April 13, 2010 1:11 AM
  • This doesn't solve the problem. You're just reitirating what we already knew about BL. This is an issue that many enterprise users are facing when using a USB docking station. A more acceptable solution is required. We have this problem as well. Thanks.
    Tuesday, May 8, 2012 2:04 PM
  • This workaround is promising but still when you remove the laptop from the USB dock, and somehow reboot/restart the machine, it then goes back to the BL key screen asking for the key to be typed in. When we had ProBooks that don't have TPM chips, we solve this issue by saving the key to the USB drive (we got the tiny USB drives) and have it plugged in permanently into the laptop's USB port. Since the USB footprint was so tiny, our users never even noticed that it was there. The only risk we told our users is that it must not be removed from the laptop or they will not be able to logon without contacting the help desk for the encryption key if they restart the computer. Seemed to work since. Our issue right now is using the ultrabooks with only 2 USB ports available.
    Tuesday, May 8, 2012 2:11 PM
  • My HP Folio 13 does not have the option to remove the USB/OPTICAL DISC option from the boot priority so this won't work on my current setup. Sigh! Anyone else have other workaround?
    Tuesday, May 8, 2012 2:13 PM
  • did you get anywhere with this, I have no dock but my Folio 13 won't start without the key.  We've happily bitlockered 100+ laptops before this one.

    Tuesday, May 15, 2012 12:48 PM
  • We also are having the same issues with the HP Folio F13-2000 as soon as you un dock the USB 3.0 Port Replicator it will ask for the B/L Key.

    If you enter the key boot to windows and suspend B/L and reboot re-enable and reboot the prompt for B/L key will go, however as soon  as you plug the USB 3.0 Port replicator back in it prompts for key again!!

    Any fresh ideas on this since posted in May?

    nb for Lenovo it is now well documented and BIOS update (from memory) fixes the issue. Thanks for any latest HP resolutions.

    Monday, August 20, 2012 4:44 AM
  • I've been pulling my hair for a long time now about this. First we have the HP 23 inch LCD that has a built-in USB 3.0 docking station and every time I unplug the USB from Folio 13 and shut down the laptop, it BitLocker asks for the key when I start it. Workaround of suspend-resume only helps if the USB dock is connected to the laptop when booting. Problem is when you disconnect the USB dock from the laptop, the laptop then asks for BL key when booting. Agghhh! So annoying!

    Friday, November 16, 2012 9:52 PM
  • What HP resolution? Nada from HP. Just really frustrating that HP is silent on this. Upgraded my Folio's BIOS to the latest on HP's website but it still does not solve the issue. Everytime I unplug the USB dock, rebooting requires BL key. :(
    Friday, November 16, 2012 10:02 PM
  • No, unfortunately. As of this writing, we are still having the problem. Fortunately for us, we were just in the testing phase so we put it on hold. Unfortunately though, the HP Folio 13 product line is now End of Life (EOL) and replaced by HP Spectre XT Pro and the HP EliteBook Folio 9470m. The EliteBook Folio is dockable so we're looking inot this model very seriously. Still testing the HP Spectre XT as I've just gotten the unit last week.
    Monday, November 26, 2012 3:03 PM
  • No, unfortunately. As of this writing, we are still having the problem. Fortunately for us, we were just in the testing phase so we put it on hold. Unfortunately though, the HP Folio 13 product line is now End of Life (EOL) and replaced by HP Spectre XT Pro and the HP EliteBook Folio 9470m. The EliteBook Folio is dockable so we're looking inot this model very seriously. Still testing the HP Spectre XT as I've just gotten the unit last week.

    OK, after a day of testing the HP Spectre XT Pro, it has the same issue with Folio 13. Worse, there is no way in the BIOS to disable any other boot devices, hence, even with the HD as the first boot priority, it still wouldn't boot without entering the BL key. This is really sad. HP seems mummed of this issue.
    Tuesday, November 27, 2012 5:02 PM
  • Hi, first post here.

    We experienced this excact problem with our HP Probooks (no specifict model). Once docked bitlocker would require the recovery USB drive.

    We narrowed it down to user with USB Flash Drives connected to their dockingstation, and once that USB Drive was removed during startup, there was no problem at all.

    So, since we almost never use USB Boot post installation, we disabled the "Boot from USB" option in the computers BIOS, and now there is no problem with Bitlocker, even with the USB Drive in the dock.

    Hope someone can use our experience to fix their problems.:)

    • Proposed as answer by wPhilipsen Wednesday, November 28, 2012 8:40 AM
    Wednesday, November 28, 2012 8:22 AM
  • hi,

    you can edit the Group Policy (GPEDIT.MSC) on windows 7 at:  Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive\configure TPM platform validation profile

    1. select enabled

    2. remove all checkbox from all fsc boxes, without FSC for 11.

    Monday, March 11, 2013 2:30 PM
  • At a customer we encounter exactly the same issue. I have another solution/work-around. Allow me to explain this scenario:

    The customer has several tablets, including Microsoft Surface Pro 2, Dell Venue 11 Pro 5130 and Dell Venue 11 Pro 7130. Now these Dell Venue use a docking station. The 7130 has no problem with docking and undocking. But the 5130 does. It keeps prompting for a BitLocker Recovery Key after docking/undocking.

    I have checked the BIOS and the HDD (Windows Boot Manager) is the first boot device in the boot order. I then disabled the PXE boot (from the docking staton) as a 2nd boot device. The problem still occurs. I then disabled "USB Boot Support" and that solved the issue.

    Apparently the LAN interface on the docking station is seen as a USB device to the Dell Venue 11 Pro 5130. Although you don't see it in the boot order, it is present. Once you undock the tablet that USB device is removed and it triggers BitLocker to see it as an hardware change. By disabling "USB Boot Support" this probleem does nog occur. The downside is you cannot boot from PXE anymore.


    Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".

    Thursday, July 24, 2014 10:49 AM