Support in other languages: 
Showing results for 
Search instead for 
Do you mean 

TPM triggers request for key although no hardware has been changed on ThinkPad W520 with bitlocker

0
Helpful?
Click ►
Started ‎03-29-2012 by
Modified ‎03-29-2012 by
(3,561 Views)

TPM triggers request for key although no hardware has been changed on ThinkPad W520 with bitlocker

Question

I am using a Lenovo ThinkPad W520 running Microsoft Windows 7 Enterprise with BitLocker enabled and encryption keys stored on the Trusted Platform Module (TPM). The laptop is frequently used with a docking station. No changes have been made to the hardware connected to the laptop, the hardware inside the laptop, or the hardware connected to the docking station.

 

Although the hardware remains unchanged I seem to be randomly prompted with the TPM prompt to unlock the device on startup. 

 

What events should tigger for the TPM to prompt for the key? 

Answer

Go to BIOS F1 setup, Startup menu, Boot.

Check the boot order

 

Best practice for bitlocker, is to remove every device from the boot order that you don't use, and put the HDD at the very top of the boot order.

 

The #1 cause for unexpected bitlocker recovery prompts is not having the HDD at the top of the boot order.

 

If the hardware configuration or BIOS version recently changed, then bitlocker will prompt at every boot (by design).

 

To fix this you need to suspend/resume bitlocker protection in the bitlocker control panel.

 

When bitlocker is initially configured, it uses the current system status (in the TPM Platforn Configuration Registers) to seal the encryption key.  The encyption key can only be unsealed for subsequent boots when the PCRs match their original value.  When the PCRs are unchanged since the last boot, this tells bitlocker that the system state is trusted and it is not under any kind of attack.  So if you change (certain) BIOS settings or do something else to cause a PCR value to change, then you can undo that change to get the PCRs to match again so that you can boot normally.

 

You can read Microsoft documentation about bitlocker if you want to know the details about what the PCRs measure.  

 

For more information on bitlocker, visit Microsoft's FAQ page on bitlocker:

 

http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_examplesosrec