6 Posts
0
8012
XPS 13 9365 - Bitlocker RecoveryKey every boot
Here's the deal.
I have a fresh XPS 13 9365, Windows 10 1709 updated.
I got a recovery ket prompt every boot. TPM is working as intended and BIOS configured with thos parameters from knowledge base http://www.dell.com/support/article/us/en/04/sln304584/bitlocker-asks-for-a-recovery-key-every-boot-on-usb-c-thunderbolt-systems-when-docked-or-undocked?lang=en
Any other idea ?
Everything is working fine on my Lattitude 7280.
JKhana
6 Posts
0
June 8th, 2018 10:00
With default TPM validation 0, 2, 4, 11 everything is working.
With my hardened validation profile it's broken. Will edit with more info.
Found it, the PCR 5 is causing the issue.
Thanks for the help @jphughan
jphughan
4 Operator
4 Operator
•
14K Posts
1
June 8th, 2018 09:00
Are you perhaps disconnecting and reconnecting a Thunderbolt dock or similar device? If not and you're literally getting it every boot, it's possible the key needs to be re-added to the TPM. The simpler way is to just disable and re-enable BitLocker, but the faster way is to delete and re-add the TPM protector itself by opening an elevated Command Prompt and entering the commands below. Note that your Recovery Key will still work even if something goes wrong in this process, so you won't get locked out, and if something DOES go wrong, please post the error message since it may provide more information. But the commands are:
manage-bde -protectors -delete C: -tpm
manage-bde -protectors -add C: -tpm
JKhana
6 Posts
0
June 8th, 2018 09:00
I had to adapt the commands since i use a TPM and a pin but i've managed to remove the TPMAndPin protector then re-enable it. Still prompt every reboot without modifying the hardware.
I've done the suspend resume thing from control panel. Same prompt every reboot.
I have a TPM validation profile GPO, i'm going to edit it then try again.
jphughan
4 Operator
4 Operator
•
14K Posts
0
June 8th, 2018 11:00
PCR 5 is the MBR partition table, which probably doesn't work on a UEFI system since it uses GPT rather than MBR disks, and a GPT disk only has a "Protective MBR".
Mystery Meat
3 Posts
0
October 12th, 2018 15:00
brownie37318
1 Message
0
October 16th, 2018 09:00
So how did you fix it??? I'm an admin, and out of the blue XPS 13 systems are going to the bitlocker recovery screen at bootup. This wasn't happening before, and the timing just seems weird with no commonalities.
This issue is spreading, and in some cases the computer had no bitlocker recovery key in AD, so were were stuck in those cases giving the user a new machine.
We are set to:
*UEFI
*AHCI
*Secure boot on
*Running TPM 1.3.2.8 Spec version 2.0
JKhana
6 Posts
0
October 16th, 2018 09:00
My bitlocker GPO was the issue. Once i removed PCR 5 from "Configure TPM platform validation profile for native UEFI firmware configurations" everything went without recoverykey prompt every login.
More details about the setting :
https://getadmx.com/?Category=MDOP&Policy=Microsoft.Policies.BitLockerManagement::PlatformValidation_UEFI_Name