JKhana
1 Nickel

XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

Here's the deal.

I have a fresh XPS 13 9365, Windows 10 1709 updated.

I got a recovery ket prompt every boot. TPM is working as intended and BIOS configured with thos parameters from knowledge base http://www.dell.com/support/article/us/en/04/sln304584/bitlocker-asks-for-a-recovery-key-every-boot-...

Any other idea ?

Everything is working fine on my Lattitude 7280.

 

0 Kudos
1 Solution

Accepted Solutions
JKhana
1 Nickel

Re: XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

With default TPM validation 0, 2, 4, 11 everything is working.

 

With my hardened validation profile it's broken. Will edit with more info.

 

Found it, the PCR 5 is causing the issue.

 

Thanks for the help @jphughan

 
0 Kudos
7 Replies
8 Krypton

Re: XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

Are you perhaps disconnecting and reconnecting a Thunderbolt dock or similar device?  If not and you're literally getting it every boot, it's possible the key needs to be re-added to the TPM.  The simpler way is to just disable and re-enable BitLocker, but the faster way is to delete and re-add the TPM protector itself by opening an elevated Command Prompt and entering the commands below.  Note that your Recovery Key will still work even if something goes wrong in this process, so you won't get locked out, and if something DOES go wrong, please post the error message since it may provide more information.  But the commands are:

manage-bde -protectors -delete C: -tpm
manage-bde -protectors -add C: -tpm

JKhana
1 Nickel

Re: XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

I had to adapt the commands since i use a TPM and a pin but i've managed to remove the TPMAndPin protector then re-enable it. Still prompt every reboot without modifying the hardware.

I've done the suspend resume thing from control panel. Same prompt every reboot.

 

I have a TPM validation profile GPO, i'm going to edit it then try again.

0 Kudos
JKhana
1 Nickel

Re: XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

With default TPM validation 0, 2, 4, 11 everything is working.

 

With my hardened validation profile it's broken. Will edit with more info.

 

Found it, the PCR 5 is causing the issue.

 

Thanks for the help @jphughan

 
0 Kudos
8 Krypton

Re: XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

PCR 5 is the MBR partition table, which probably doesn't work on a UEFI system since it uses GPT rather than MBR disks, and a GPT disk only has a "Protective MBR".

0 Kudos
Mystery Meat
1 Copper

Re: XPS 13 9365 - Bitlocker Recgo to bioveryKey every boot

Jump to solution
 
0 Kudos
brownie37318
1 Copper

Re: XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

So how did you fix it??? I'm an admin, and out of the blue XPS 13 systems are going to the bitlocker recovery screen at bootup. This wasn't happening before, and the timing just seems weird with no commonalities.

This issue is spreading, and in some cases the computer had no bitlocker recovery key in AD, so were were stuck in those cases giving the user a new machine.

We are set to:

*UEFI

*AHCI

*Secure boot on

*Running TPM 1.3.2.8 Spec version 2.0

0 Kudos
JKhana
1 Nickel

Re: XPS 13 9365 - Bitlocker RecoveryKey every boot

Jump to solution

My bitlocker GPO was the issue. Once i removed PCR 5 from "Configure TPM platform validation profile for native UEFI firmware configurations" everything went without recoverykey prompt every login.

 

More details about the setting :

https://getadmx.com/?Category=MDOP&Policy=Microsoft.Policies.BitLockerManagement::PlatformValidation...

0 Kudos