none
BitLocker and Build 1803 Choose how to unlock your drive at startup 3rd option missing RRS feed

  • Question

  • So I have a new laptop that was upgraded from build 1607 to 1803, I went to enable BitLocker and not being presented with the option to "let BitLocker automatically unlock my drive." I only have the USB and pin option. I know build 1607 has all 3 options. We are on a corporate domain and  I have GPO's set up to back up the keys to AD, the laptop uses TPM and so do the others.  This is only I have on build 1803 at this time. Is it an issue with the build? Is there a timeline on a fix if so? Right now this laptop is having issues taking KB4284835. I was hoping this KB would resolve the issue. Ideas on why the option is not being presented?
    Tuesday, July 10, 2018 9:39 PM

Answers

  • Interesting does TPM 2.0 truly require UEFI mode and Secure Boot turned on?  We have been unable to get our devices to pxe boot into MDT with the Secure boot and UEFI only turned on.  We normally disable secure boot and enable legacy boot options. Now I read something that states TPM2 does not fully function with BitLocker if not in Secure Boot mode and bios UEFI mode enabled.  It made me go back and look at the other laptops that I am currently deploying and they actually failed to enable BitLocker because BitLocker could not obtain the key from TPM. But AD shows the key in the device Properties, so a bit confused why AD can see it but the device cannot.
    • Marked as answer by IT_JoeM Friday, July 13, 2018 6:15 PM
    Thursday, July 12, 2018 2:57 PM
  • TPM 2.0 needs windows to be installed in UEFI mode, yes. Otherwise, the recovery key will be asked on each boot since the TPM does not work.

    Secure boot is recommended, but not needed.

    • Marked as answer by IT_JoeM Friday, July 13, 2018 6:16 PM
    Friday, July 13, 2018 6:09 AM

All replies

  • If the PIN option is present, then the TPM is working.

    @moderation: is that unclear?

    @IT_JoeM: use rsop.msc to see all policies that apply and verify if "TPM-only" is allowed or if (as it seems) a PIN requirement is enforced.

    Wednesday, July 11, 2018 10:15 AM
  • In regards to PIN, I only enforce a minimum length if a PIN is used. But it the other laptops I have present all three options when you enable BitLocker.  When enabling I choose to save a copy of the keys to a USB stick.

    policies are applied I even tried enabling the following:

    - do not enable bit locker until recovery information is stored to AD DS for Fixed drives and os

    - omit recovery options from the BitLocker setup wizard (for fixed drives)

    Just noticed I missed the omit option on OS Drive.  Going to correct that

    But like I said this issue only seems to affect laptops running Win10 Build 1803. Have not tried the disabling of TPM yet. I am imaging new laptops and enabling BitLocker afterward. Most of them are still on the base 1607 build they just have not had their chance to upgrade yet from WSUS before I enable BitLocker.  But one of them had already moved up to 1803 before I completed my post image checks. We don't have MDT setup to enable BitLocker. 

    Wednesday, July 11, 2018 9:53 PM
  • Interesting I just logging into the laptop in question and tried enabling BitLocker, and it skipped the USB startup and pin question and went straight to you nee dot insert a USB stick to save the keys prompt before enabling. Except it did not prompt for a location to save the keys so it never saved them to the USB drive. At this point in time, the only thing I did was let the system sit for a day and take any other updates. 
    Wednesday, July 11, 2018 10:01 PM
  • Interesting side note. I miss understood what BitLocker was trying to do.  It turned on but only after it keyed itself to a USB stick.  Back to square one.  I suppose if I wanted I could just re-image and start over with BitLocker before 1803 grabbed from WSUS. 
    Thursday, July 12, 2018 2:11 PM
  • Interesting does TPM 2.0 truly require UEFI mode and Secure Boot turned on?  We have been unable to get our devices to pxe boot into MDT with the Secure boot and UEFI only turned on.  We normally disable secure boot and enable legacy boot options. Now I read something that states TPM2 does not fully function with BitLocker if not in Secure Boot mode and bios UEFI mode enabled.  It made me go back and look at the other laptops that I am currently deploying and they actually failed to enable BitLocker because BitLocker could not obtain the key from TPM. But AD shows the key in the device Properties, so a bit confused why AD can see it but the device cannot.
    • Marked as answer by IT_JoeM Friday, July 13, 2018 6:15 PM
    Thursday, July 12, 2018 2:57 PM
  • TPM 2.0 needs windows to be installed in UEFI mode, yes. Otherwise, the recovery key will be asked on each boot since the TPM does not work.

    Secure boot is recommended, but not needed.

    • Marked as answer by IT_JoeM Friday, July 13, 2018 6:16 PM
    Friday, July 13, 2018 6:09 AM
  • I think we are close to doing secure boot. We just need to sign the MDT related file.
    Friday, July 13, 2018 2:11 PM
  • So we resolved are MDT pxe secure boot issues and re-imaged the laptop. I suspect the issue is resolved and will mark what applies after I verify things. 
    • Edited by IT_JoeM Friday, July 13, 2018 6:15 PM
    Friday, July 13, 2018 5:40 PM