02-25-2014 09:51 AM
I have a T530 with a Docking station and a USB connected printer.
The printer is a HP LaserJet Pro 400 color MFP M475dw(CE864A) with a connection for USB Sticks
Everytime the laptop is talken off the docking station and powered off then placed back on to the dock and powered by one BitLocker locks. If the printer is disconnected then there is no issue.
Has anyone ran into something like with when using bitlocker for encrytion?
I did update the Bios and updated the OS and updated the Lenovo system updates as well.
02-25-2014 08:41 PM
02-27-2014 10:29 AM
Yes the same thing occurs when the usb cable for the printer is connected directly to the laptop.
It is seeing this model printer as boot device is my guess.
Any other ideas with bitlocker.
All I can have them do now is to plug in the usb cable after the laptop gets to the Ctrl + Alt + Delete screen
And that can not be the fix for this.
All help is appreciated.
02-27-2014 11:47 AM
Also tested a bootable usb drive.
The Bios is set to have the HD as the first Boot device.
Power off the laptop - connected the usb drive and turned on the laptop.
It booted straight into windows.
Rebooted again and still went into windows.
If the usb cable for the printer is either connected to the laptop or the docking station it will set off bitloker.
But not after you reset bitlock only if you change something ie.
- reset bitlocker to not lock with the printer usb cable attached.
- now power off the laptop - remove it from the dock and power it on - ( no problems goes into Windows )
- now power off the laptop - place it back on the docking station - usb for the printer is connected - power it up and
Bitlocker locks the computer.
02-27-2014 11:54 PM
02-28-2014 06:29 AM
First, try removing all the USB devices from the boot order in BIOS setup.
If that doesn't work, then the only other solution is to find and disable (by experimenting) the PCR that is causing the problem with your printer:
2. local computer policy -> computer configuration -> administrative templates -> windows components -> bitlocker drive encryption -> operating system drives -> configure TPM validation profile
Note that you can't change the PCR settings after bitlocker is already enabled. So you have to disable/decrypt, then change the settings, enable/encrypt/test, etc until you find the setting that works.
If I had to guess, it's probably PCR2 option ROM code.
02-28-2014 06:35 AM
I just remembered that I created a tool a while ago to help debug this type of problem. Run it from a command prompt with admin rights.
It will list the value of all the TPM PCRs. The idea is to save this output for a successful boot. Then, attach the printer and do a failed boot (with bitlocker recovery) and run the tool again. Which PCR is different?
Then, modify the policy in gpedit.msc to exclude that PCR.
03-05-2014 10:38 AM
Quote from gpedit.msc:
>> This policy setting does not apply if [...] BitLocker has already been turned on with TPM protection.
So you may have to turn off bitlocker, change the policy, and then turn it on again. suspending bitlocker may not be enough, but I guess you could try it anyway.
Which PCR was different based on whether printer is connected or not? Please share with the forum because it might help someone else with the same problem.