Solved

Bitlocker encrypted system keeps asking for key at boot

Posted on 2011-09-13
7
40,063 Views
Last Modified: 2012-09-13
I have an HP laptop with a TPM 1.2 level chip. I have successfully encrypted the C: drive with bitlocker. The OS is 32-bit Windows 7 Ultimate. However, every time I boot it, I have to enter the key.  

I have found several articles about this and they all pretty much say the same thing. I have decrypted the disk, reset and reinitialized the TPM module and reencrypted the disk and I get the same thing.

Thoughts?
0
Comment
Question by:jhyiesla
  • 4
  • 3
7 Comments
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Please read the message carefully that tells you to enter your "key" (what key, the short PIN or the long recovery key?) and quote it here.
Normally, you will need to enter the recovery key only if something at bios level has changed or other low level hardware changes have taken place. Please quote.
0
 
LVL 28

Author Comment

by:jhyiesla
Comment Utility
I'm not by the laptop at this moment, but what it wants is the long 48 character key. If I enter it, Windows boots just fine. I've installed bitlocker on other machines without issue, but this one fails to boot every time unless I enter the key. And the message, which I will post here on Monday when I am near the laptop, does mention that something has changed with the boot partition or something and all I am doing is merely shutting down the laptop, or restarting it, and then starting it up again. I even removed the HP tools partition and rebooted before installing any software beyond the OS and the HP drivers.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
I am pretty sure the message tells you to disable bitlocker and enable it again (after once and only once typing in the recovery key). That would be normal if something had changed. But twice or even more often?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 28

Author Comment

by:jhyiesla
Comment Utility
So, I fired up the laptop after it sat all weekend and it went into Windows just fine. Then I rebooted it and got the message again. Here is what it says:

The system boot information has changed since bitlocker was enabled.

You must supply a bitlocker recovery key to stsart this system.

Confirm that the changes to the system boot information are authorized.

If the changes to the system boot information are trusted, then suspend and resume bitlocker. THis will reset bitlocker to use the new boot information.  Otherwise restore the system boot information.


I believe that I have done the suspend thing before.  But I get into Windows and I suspend and then resume.  Then I reboot and it comes up fine.  Then I log into Windows and then do a ShutDown from Windows. When I restart the laptop, I am presented with the message again.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
Comment Utility
Alright, I see.
"The system boot information" are a lot of things, please verify if any of the following could have changed:
What causes BitLocker to start into recovery mode when attempting to start the operating system drive?


The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 Changing any boot configuration data (BCD) boot entry data type settings with the exception of the following items:

DESCRIPTION

 RAMDISKIMAGEOFFSET

 PASSCOUNT

 TESTMIX

 FAILURECOUNT

 TESTTOFAIL





Warning



When installing a language pack, an additional option in the language pack installation wizard asks if the user wants to apply language settings to All users and system accounts. If this option is selected, it will change the local computer BCD settings (if the user-only option is selected, BCD settings are not changed). This change will result in a modification of a BCD setting to the new locale value. If you are using a TPM with BitLocker, this is interpreted as a boot attack on reboot and the computer will require that the user enter the recovery password or recovery key to start the computer.

 We recommend that you suspend BitLocker before changing locales or installing a language pack, just as you would before making any major computer configuration change, such as updating the BIOS.

 



Changing the BIOS boot order to boot another drive in advance of the hard drive.


 Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.


 Failing to boot from a network drive before booting from the hard drive.


 Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.


 Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.


 Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.


 Turning off the BIOS support for reading the USB device in the pre-boot environment if you are using USB-based keys instead of a TPM.


 Turning off, disabling, deactivating, or clearing the TPM.


 Upgrading critical early startup components, such as a BIOS upgrade, causing the BIOS measurements to change.


 Forgetting the PIN when PIN authentication has been enabled.


 Updating option ROM firmware.


Upgrading TPM firmware.


 Adding or removing hardware. For example, inserting a new card in the computer, including some PCMIA wireless cards.


 Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.


 Changes to the master boot record on the disk.


 Changes to the boot manager on the disk.


 Hiding the TPM from the operating system. Some BIOS settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS secure startup is disabled, and the TPM does not respond to commands from any software.


Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.


 Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including PCR[1] would result in most changes to BIOS settings, causing BitLocker to enter recovery mode.





Note



Some computers have BIOS settings that skip measurements to certain PCRs, such as PCR[2]. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.

 



Moving the BitLocker-protected drive into a new computer.


 Upgrading the motherboard to a new one with a new TPM.


 Losing the USB flash drive containing the startup key when startup key authentication has been enabled.


 Failing the TPM self test.


 Having a BIOS or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.


Changing the usage authorization for the storage root key of the TPM to a non-zero value.





Note



The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.

 



Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).


 Pressing the F8 or F10 key during the boot process.


 Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.


 Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.


------------
Source: http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_IntegrityFail
0
 
LVL 28

Author Comment

by:jhyiesla
Comment Utility
I figured it out. This particular model of HP laptop has a "bug" or something that is not compatible with the default cponfig of bitlocker. I followed the instructions on this web page :  http://h30434.www3.hp.com/t5/Other-Notebook-PC-questions/HP-Probook-6540b-with-Window-7-Bitlocker-Major-Issue/td-p/266926/page/2
to disable PCR 0. Now the laptop boots fine from restart as well as cold boot without asking for the key.
0
 
LVL 28

Author Closing Comment

by:jhyiesla
Comment Utility
Not a specific answer, but it did include pertinent information.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now