On Dell systems with Windows 10 installed and configured for UEFI BIOS mode, BitLocker may experience issues with failing to turn on or prompting for the recovery key when the system is rebooted. This can occur when the system is also unable to support the TPM firmware flash from version 1.2 to version 2.0. The resolution covered in this article can be used to configure BitLocker to work with the TPM 1.2 firmware on Dell systems that support Windows 10/UEFI and that do not support the firmware upgrade to TPM 2.0.
BitLocker Fails to turn on or prompts for the Recovery Key after every reboot with Windows 10, UEFI, and the TPM 1.2 Firmware
The Latitude 12 Rugged (7202) is an example of a tablet that is currently shipping with Windows 10/UEFI and the TPM 1.2 firmware. By default, BitLocker will not work in this configuration and this platform does not support TPM 1.2<->2.0 mode changes. The resolution below has been tested for the 7202 and will allow the use of BitLocker with TPM 1.2 in UEFI mode by modifying which PCR indices are included in the BitLocker profile to the default UEFI selections.
NOTE: PCR (Platform Configuration Register) settings secure the BitLocker encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). The default values in the BitLocker profile are different for UEFI and standard BIOS.
Some other system models ship with a Windows 7 downgrade and the TPM 1.2 firmware, and fully support the upgrade to Windows 10, yet do not allow TPM 1.2<->2.0 mode changes.
NOTE: While BitLocker may work in Legacy boot mode with the TPM 1.2 firmware, Dell continues to recommend and ship Windows 10 in UEFI from the factory.
Steps to resolve the issue
- Disable BitLocker from the Manage BitLocker pane if currently enabled and wait for decryption to complete:
- Click Start and type manage bitlocker and select the top search result (Figure 1):
Figure 1: Manage bitlocker search results
- From the BitLocker Drive Encryption Control Panel pane, select Turn off BitLocker (Figure 2):
Figure 2: BitLocker Drive Encryption Control Panel
- Click Turn off BitLocker to confirm (Figure 3):
Figure 3: Turn off BitLocker confirmation
- Go to Start and search for gpedit.msc and click the top search result to open the Local Group Policy Editor in a new window.
- In the left column browse to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives (Figure 4):
Figure 4: gpedit Operating System Drives folder
- Then on the right side double click Configure TPM platform validation profile to open up the configuration (Figure 5):
Figure 5: Configure TPM platform validation profile setting
- Select the radio button that says Enabled.
- Deselect all PCRs except 0, 2, 4, and 11 (Figure 6):
Figure 6: Enabled PCR settings
NOTE: BitLocker must be disabled before changing the PCR values. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console.
- Select Apply and OK to close out gpedit.
- Turn on BitLocker and reboot after encryption finishes.