Hi! Are there any news on that topic? I've got exactly the same problem and found no solution so far. It would be awesome if BitLocker would trust my thunderbolt device.
In general it's BIOS issue which incorrectly handles Thunderbolt devices (they supposed to be activated after bitlocker check). I already posted a link to the dell knowledge database how it worked before. But in current version of BIOS it's broken by some reason.
Investigating TPM configuration I didn't manage to find proper set of checkboxes to allow thunderbolt device without disabling security at all.
@EricHier It’s not a question of BitLocker trusting your Thunderbolt device. It’s because the TPM has detected a change in the system’s hardware environment. Having a Thunderbolt device connected and then removing it would trigger this too, so it’s not a device trust issue. It’s a “deviation from known trusted hardware environment” issue. You’d need the TPM to ignore any changes in Thunderbolt device connections in order to make BitLocker not have a problem here. Or you can switch BitLocker to use a standard password instead of a TPM, but then you give up the security benefit of the TPM’s “platform integrity check” completely. Are you sure that disabling them Thunderbolt boot-related options doesn’t fix this? Or does your Thunderbolt device require those options to be enabled for some reason?
@gdreyv Disabling Thunderbolt port security wouldn’t help with this, and it would be a bad idea from a security standpoint anyway. But if you’re seeing this behavior even after disabling the Thunderbolt boot support options, then that does indeed seem like a bug. But you wouldn’t find settings to customize this check behavior in the TPM Configuration. You would have to customize the BitLocker PCR values check setting, but that requires messing with Group Policy and there isn’t a simple “ignore Thunderbolt devices” setting there.
I'm also encountering this issue. I get the bitlocker page when booting up with my eGPU connected, but if I unplug the usb-c cable that goes from my laptop the eGPU and then plug it in once the loading animations starts below the Dell logo, there's no bitlocker page. I hope this is solved soon with a BIOS update or some other fix.
EricHier
1 Message
0
August 14th, 2020 14:00
Hi! Are there any news on that topic? I've got exactly the same problem and found no solution so far. It would be awesome if BitLocker would trust my thunderbolt device.
gdreyv
1 Rookie
•
18 Posts
0
August 14th, 2020 17:00
In general it's BIOS issue which incorrectly handles Thunderbolt devices (they supposed to be activated after bitlocker check). I already posted a link to the dell knowledge database how it worked before. But in current version of BIOS it's broken by some reason.
Investigating TPM configuration I didn't manage to find proper set of checkboxes to allow thunderbolt device without disabling security at all.
jphughan
9 Legend
•
14K Posts
0
August 14th, 2020 17:00
@EricHier It’s not a question of BitLocker trusting your Thunderbolt device. It’s because the TPM has detected a change in the system’s hardware environment. Having a Thunderbolt device connected and then removing it would trigger this too, so it’s not a device trust issue. It’s a “deviation from known trusted hardware environment” issue. You’d need the TPM to ignore any changes in Thunderbolt device connections in order to make BitLocker not have a problem here. Or you can switch BitLocker to use a standard password instead of a TPM, but then you give up the security benefit of the TPM’s “platform integrity check” completely. Are you sure that disabling them Thunderbolt boot-related options doesn’t fix this? Or does your Thunderbolt device require those options to be enabled for some reason?
jphughan
9 Legend
•
14K Posts
0
August 15th, 2020 23:00
@gdreyv Disabling Thunderbolt port security wouldn’t help with this, and it would be a bad idea from a security standpoint anyway. But if you’re seeing this behavior even after disabling the Thunderbolt boot support options, then that does indeed seem like a bug. But you wouldn’t find settings to customize this check behavior in the TPM Configuration. You would have to customize the BitLocker PCR values check setting, but that requires messing with Group Policy and there isn’t a simple “ignore Thunderbolt devices” setting there.
cainz
1 Message
0
January 24th, 2021 09:00
Has anyone been able to successfully resolve this issue? Seems like bitlocker should allow for whitelisting multiple PCIe/thunderbolt layouts.
CedricE
5 Posts
0
February 27th, 2021 13:00
I'm also encountering this issue. I get the bitlocker page when booting up with my eGPU connected, but if I unplug the usb-c cable that goes from my laptop the eGPU and then plug it in once the loading animations starts below the Dell logo, there's no bitlocker page. I hope this is solved soon with a BIOS update or some other fix.
DaveAS
1 Message
0
May 19th, 2021 03:00
I used the solution posted in this thread - https://egpu.io/forums/pc-setup/bitlocker-tripped-on-reboot/,
Worked for me with XPS 9310 and Lenovo Legion BoostStation.