none
BitLocker - becoming an irritation

    Question

  • We're deploying BitLocker to our organization with Every Windows 7 laptop that is deployed.  It is quickly becoming an irritation for me because one day a User's laptop will be working fine...(BitLocker w/TPM, no PIN, no USB drive) and then without any change, the very next day or next reboot, the machine will ask for the BitLocker Recovery Key, and no amount of fiddling with anything on the system will make it go away.  the only option we have left is to decrypt the drive, and re-encrypt it. 

    This is happening on all platforms we have deployed with varying configurations, docked, undocked, etc...I can find no discernable pattern to this...I can't find a "Best Practices" for how to deploy this that encompasses everything from BIOS settings, to BOOT Orders, to Software Installed or not installed on workstations...

    Does anyone have or know of a comprehensive document for troubleshooting bitlocker?  I've seen the list of things that can trigger the recovery key mode, and that list basically makes me want to stop deploying it...it seems that all you have to do is breathe wrong on a BitLocker encrypted laptop and it will go into recovery mode.

    r/
    john

     


    John Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering
    Wednesday, March 02, 2011 5:20 PM

Answers

  • Hello John,

    In the gpos under

    \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

    you will find TPM-Validation-Profile. You have to activate it to see the defaults and then you can change it. 

     

    Greetings Th0u.

    Monday, March 07, 2011 2:00 PM

All replies

  • I work for an enterprise org as well and we're looking into Bitlocker.  Your story scares me.  I'll be watching this thread.  And I hope you get a reply soon.


    Jason Yates
    Wednesday, March 02, 2011 8:32 PM
  • Hi John,

    I'm not sure of the exact cause of the issue, but you may check if the TPM Base Services is started.

    Hope it helps.

    Styx

    Thursday, March 03, 2011 8:46 AM
  • Hi Jason,

    It's very good (super) feature develop by Microsoft very secure go ahead . there is no need to scares.

    TPM IS BASICALLY A HARDWARE CHIP

    Thursday, March 03, 2011 9:31 AM
  • Thanks for the replies everyone.  I'm aware of what the TPM chip is and does...I've found that in some cases the TPM is turned off in the BIOS after a reboot or an undock (not deactivated, just turned off). 

    Checking TPM Base Services is started would help after Windows loads...I'm not sure how that would affect a booting system that asks for recovery key?  I'm confused as to the reason why the TPM validation of the system is not enough for BitLocker, that any number of the changes or events that happen here:

    http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_examplesosrec

    ..can cause a BitLocker Recovery key scenario...

    What I'm hoping someone from Microsoft can answer is "How do I troubleshoot this?"  where is the log that says you had a BitLocker recovery error because you had a CD in your drive when you booted, or you had undocked your laptop...or you had changed your battery...and why would these things matter???  Seriously it was like the encryption scheme was designed without normal usage scenarios in mind. 

    I'm not trying to cause trouble here, just frustrated at not being able to create documentation for my field service people who have to support this, and wondering why my laptop with BitLocker (one of the first installations we did) has had 0 issues, and I have done almost everything on this list to cause BitLocker to ask for a recovery key...


    John Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering
    Thursday, March 03, 2011 2:56 PM
  • Hello John,

    unforunately there is afaik no troubleshoot-guide.

    I am the project-leader in our company for bitlocker-deployment on 1000+ PCs/laptops. All our pcs run bitlocker for 6 months now.

    During planning-phase we tested all combinations(different bootscenarios, different tpm-profiles, dockingstations and so on) we could think about and created a matrix to see wich combination leads to which result (bitlocker  unlocks or keeps locked). With this matrix we could find a suitable tpm-profile and got a feeling under which situation bitlocker  stays locked.

    What i found out during the project planning/testing/production period is, that it's important to have a proper TPM-Validation-Profile in the GPO suitable for the productionevironment. 
    Changes to the bootorder, a skipped pxe-boot, a different pxe-server version/product, a changed value in the bios, a detached networkcable, a dockingstation ... all this can lead to a locked system. 

    Sorry that I cant point you to a troubleshooting guide. Here it sometimes it helps just to try a reboot, and sometimes it helps to identify the current constlellation and check it against the testmatrix to find the differences.

    Greetings Th0u

     

     

     

     

     

     

    Friday, March 04, 2011 3:10 PM
  • This might be bold and in poor taste so I apologize ahead of time . . . but can you share this test matrix - devoid of organizational identifiers?
    Jason Yates
    Friday, March 04, 2011 5:29 PM
  • Hello John,

        I wrote this article a while back, it should help answer some of the most common causes of Bitlocker Recovery. So far I have not come across a scenario where following the items in this blog did not resolve the problems. The reason there is no logging as to what caused Bitlocker to go into Recovery, and this is my educated thoughts, is that since Windows does not control the BIOS and/or TPM chip along with it being during the Bootmgr of Windows (no logging) that we are unable to capture what exact PCR register changed in order to trip Bitlocker. I have seen scenarios, where BIOS was returning invalid information to Bootmgr due to an outdated BIOS on the system. If you Suspend Bitlocker and then Resume Bitlocker it will reseal the TPM chip and the PCR values. Also, note that Windows Updates have built in logic to not trip Bitlocker into Recovery Mode.

    http://blogs.technet.com/b/askcore/archive/2010/08/04/issues-resulting-in-bitlocker-recovery-mode-and-their-resolution.aspx


    Tanner --- This is posted as-is and has no warranty or guarantee ---
    Sunday, March 06, 2011 1:34 AM
  • Hello Jason,

    the matrix-details itself may not help you, because the results depend on the used hardware/bios/TPM/... as stated by Tanner S.

    The matrix consists of the pcr0-pcr11 (x-axis) and changes (y-axis).

    Changes are "use-cases" e.g. "changing bootorder by pressing ESC" or "starting pc w/o nic-cable", or "flashing bios", or "changing biossettings", or "removing hd" , or attaching/removing notebook to dockingstation, or "shutdown pxe-server", or change pxe-server-version.

    We trimmed all pcs/nb to the latest bios. Then we picked from each pc/nb-model one system for testing. Then we started with a tpm-profile where all pcrs are activated and then we changed things on the system definded in the use-cases and documented if a "change" leads to a bitlocked system. If yes, we deactivated pcrs each by each beginning with pcr 11 and tested again until a change to the system does not lead to a bitlocked system. For example pcr4/5 are sensitive for changes in the boot-process of the pc (the process before the handover to windows 7).

    We created a matrix for nearly all of our different pc-models (atm 1 brand/5 models).

    The tests also revealed, that different pc-models from the same vendor (one of the bigger office-pc-brands) behave different. And after the tests i can second the infos from Tanners blogentry, that the tpm-implementation varies and that this is not within the scope of windows.

    Another part are changes of things inside windows, like installing Updates, manipulating windows and so on. We decided to test this on demand (before rolling out updates). Also our users have no admin-rights, so this prevents changes to windows which may lead to a bitlocked system. Microsoft says that windows.patches may not trigger bitlocker, because windows-files carry a certificate. In contrast to this we had several bitlocked systems after installing win7-mui-en-us.

     

    Greetings Th0u

    Monday, March 07, 2011 10:35 AM
  • Tanner,

    Thanks for the information.  So what you're saying is that when I encounter one of these scenarios where we cannot find out what happened to trip the BitLocker recovery key we boot the workstation, suspend bitlocker, reboot, (we should be able to start without the key), and then resume bitlocker?  Will this keep the same key in place?  Will it change the key that is there and give us a new one?

    Thanks

    john


    John Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering
    Monday, March 07, 2011 1:43 PM
  • Th0u,

    Where exactly did you create your tpm-validation-profile?  I cannot find any information on how to do it via Group Policy?

    r/
    john


    John Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering
    Monday, March 07, 2011 1:43 PM
  • Hello John,

    In the gpos under

    \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

    you will find TPM-Validation-Profile. You have to activate it to see the defaults and then you can change it. 

     

    Greetings Th0u.

    Monday, March 07, 2011 2:00 PM
  • I think the key to your issue is that you set the BIOS Boot order to always boot from HDD first before you enable BitLocker.  Then the only time you'll see the prompt for the recovery key is if the laptop is booted off some other media like USB or DVD.

    You might find this helpful for automatically saving the BitLocker keys and TPM information into Active Directory.

    http://blog.concurrency.com/infrastructure/enable-bitlocker-automatically-save-keys-to-active-directory/

     


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Friday, June 10, 2011 4:38 PM
  • I have gone into the Bios and removed CD Rom, USB's, PXE Boot from bios and only have the HDD in the Startup. But once in a while I See Laptops that keep asking for the Recovery Key.  I have also noticed that sometime the OS gets corrupted and goes into a Reboot cycle prompting for the Recovery Key each time. Does anyone know or can help me on how to troubleshoot what might be causing this issue???  Any suggestions and hopefully some answers to my dilemma

    Thanks You

    Monday, April 16, 2012 8:23 PM
  • I am seeing the same issues.  HDD is first boot device. Users travel between two offices so they dock in two different docking stations.  Sometimes it works fine, other times it prompts for Rec key.  No USB drives connected or CDs in tray.

    Random stuff!

    Tuesday, November 13, 2012 2:55 PM
  • John and Moto32,

    I also have seen these kinds of issues on laptops across our deployment. Random requests for a key with no changes being made. The most recent example was my own laptop going to sleep overnight, coming back in the AM to unlock it and start working and before I could, I had to enter a Bitlocker key. The comment made regarding enter the key, go into the computer, put Bitlocker in suspended mode and then rebooting and then turning it back on stops the requirement to continue putting in the key is valid and we have been doing it for months with multiple computers.

    My concern is that it has caused multiple corrupted data drives and OS Drives. We were able to get our data off before rebuilding but the fact that it fails continuously tells me that it is not fully tested, not fully vetted and a product that we are going to start removing because of the concerns it is causing. A mobile work force using this kind of solution is a huge risk that I am not willing to take.

    Keep in mind, if your user base is not technology savvy, you are at even higher risk of issues when they are mobile and the key request appears. Can you afford to have a user down and offline for a day or more before they can get to a tech to resolve it for them? We cannot and have had to do so while people were traveling. Not a good situation.

    Just my 2 cents.

    DB

    Thursday, December 06, 2012 1:17 PM
  • Hey,

    regarding the problems with dockingstation. Afaik TPM-Option PCR2 should be disabled when using dockingstation. We use about 100 Dell Latitudes + dockings and found in the beginning that PCR2 has to be disabled for our environment. Also sometimes users call to get bitlocker-key because windows was not shut down properly (possible battery down) and most of the time they are told not to use "start windows repair" but to choose"start windows normally" which then starts windows w/o asking for the bitlockerkey.

    At the moment we have some trouble with the newest Dell Latitude 6330 and Optiplex 7010 in conjunction with pxe-boot.. There seems to be some changes in bios and the bootix pxe-bootloader confuses the new bios/tpm.

    Regards, T

    BTW: Whats your experience when changing the tpm-profile? In my case i always had to decrypt/encrypt the complete disk. Manage-bde -protecotrs c: -disable/-enable to acknowledge (bios) changes does not work for changes in tpm profile.




    • Edited by Th0u Wednesday, December 19, 2012 10:27 PM
    Wednesday, December 19, 2012 10:24 PM
  • Hey Ralph,

    try removing pcr2 from your tpm-profile.

    Regards, T

    Wednesday, December 19, 2012 10:35 PM
  • Would anyone be aware of a blog that explains Group Policy approaches to mitigating Bitlocker irritations?

    I've just recently discovered the 'randomly asks for a recovery key when docked' problem during testing, which lead me to this thread.  I'll experiment with the suggestions, but a blog that explains and contextualises the options would be very helpful.

    Wednesday, February 26, 2014 9:44 AM