This post is more than 5 years old
19 Posts
0
5843
Latitude 5490 peripherals connected to WD15 dock do not work during POST
I searched and found this article which perfectly describe my issue, but for 2 other Latitude models, and not mine (5490).
I updated to latest BIOS for the Latitude 5490 (1.1.9), and the WD15 dock already has the latest firmware.
This a big problem for BitLocker. We usually keep the lid closed and power on via the dock and then use external keyboard to enter the BitLocker PIN, but now we can't do this. We have to open the lid to use the internal keyboard instead. 1
sccoaire
19 Posts
0
April 16th, 2018 11:00
Thanks for the information you provided. My 5490 doesn't have a Thunderbolt port, no setting for it in BIOS as a consequence, as you indicated.
BitLocker can be easily reset by suspending and re-enabling but that wasn't the issue.
If anyone else is having this problem, I took the time to come back and provide you the solution; you need to make sure the BIOS setting for "Post Behavior" > "Fastboot" is set to "auto". By default out-of-the-box, it is set to "minimal". I did not test it with the "thorough" setting but according to the description that setting should also work.
Cheers.
jphughan
4 Operator
4 Operator
•
14K Posts
1
April 6th, 2018 08:00
The solution described there should still apply to the 5490, but note that you need both the BIOS update and those BIOS settings enabled. For some reason, even though the WD15 interfaces with the system over regular USB-C rather than Thunderbolt, the Thunderbolt pre-boot settings apply to it. If you don't have those BIOS settings available because your 5490 wasn't optioned with Thunderbolt, I'm not sure what to recommend.
Note however that since you're using BitLocker, enabling Thunderbolt pre-boot can create problems. I know this is a problem with the TB16 dock that uses Thunderbolt, but I'm not sure about the WD15, so pleas report back on your findings here. But just in case you encounter this, there are two main reasons pre-boot support is disabled by default. The first is Thunderbolt's default security policy involves the user having to authorize attached devices to grant them access to the system, since Thunderbolt devices can run on PCIe and therefore can get low-level hardware access -- but when pre-boot support is enabled, devices attached at boot are automatically authorized. The second issue relates to BitLocker, and it is that when pre-boot support is enabled, anything connected via Thunderbolt (and maybe USB-C, not sure) becomes part of the system's hardware environment that is included (by default) in the BitLocker platform integrity check. With BitLocker, the TPM only releases the key if it detects that the hardware environment has not changed in a way that could compromise security -- but when Thunderbolt devices are included, the dock's attachment state becomes one of those factors. So for example if you have a Thunderbolt device attached when you enable BitLocker, then the TPM will "seal" with that hardware environment, including the dock, and as a result, the first time you try boot without the dock connected, BitLocker will prompt for a Recovery Key because the system will have failed the platform integrity check and therefore the TPM will have refused to release the key. If you enter the Recovery Key, the TPM will "reseal" with the dock-less hardware profile, but then when you next boot with the dock connected, you'll see the same thing. You can't seal a key with multiple hardware profiles. It is possible to use Group Policy to customize what items should be included in the platform integrity check, but the change you have to make to exclude Thunderbolt devices would allow a lot of other potentially malicious hardware to be introduced without the system locking itself down.