Support in other languages: 
Showing results for 
Search instead for 
Do you mean 
Welcome to the Lenovo Community

Welcome to the Forums!

Welcome to Lenovo's Peer-to-Peer Discussion Community!
Please note our guidelines. How to register and login and Community FAQs.
Shape the Future of PCs

Help Lenovo Shape the Future of PCs

Take the ownership survey. Share your ideas with our product team
Community Spotlight

Visit the Lenovo Blogs!

Check out the ThinkPad Time Machine
Visit the Community Spotlight Blog
Windows  10

Are you ready for Windows 10?

Get to know Windows 10
Visit the Windows 10 Support Center

TPM triggers request for key although no hardware has been changed on ThinkPad W520 with bitlocker

0 Kudos
Helpful?
Click ►
Started ‎03-29-2012 by
Modified ‎03-29-2012 by
(4,514 Views)

Question

I am using a Lenovo ThinkPad W520 running Microsoft Windows 7 Enterprise with BitLocker enabled and encryption keys stored on the Trusted Platform Module (TPM). The laptop is frequently used with a docking station. No changes have been made to the hardware connected to the laptop, the hardware inside the laptop, or the hardware connected to the docking station.

 

Although the hardware remains unchanged I seem to be randomly prompted with the TPM prompt to unlock the device on startup. 

 

What events should tigger for the TPM to prompt for the key? 

Answer

Go to BIOS F1 setup, Startup menu, Boot.

Check the boot order

 

Best practice for bitlocker, is to remove every device from the boot order that you don't use, and put the HDD at the very top of the boot order.

 

The #1 cause for unexpected bitlocker recovery prompts is not having the HDD at the top of the boot order.

 

If the hardware configuration or BIOS version recently changed, then bitlocker will prompt at every boot (by design).

 

To fix this you need to suspend/resume bitlocker protection in the bitlocker control panel.

 

When bitlocker is initially configured, it uses the current system status (in the TPM Platforn Configuration Registers) to seal the encryption key.  The encyption key can only be unsealed for subsequent boots when the PCRs match their original value.  When the PCRs are unchanged since the last boot, this tells bitlocker that the system state is trusted and it is not under any kind of attack.  So if you change (certain) BIOS settings or do something else to cause a PCR value to change, then you can undo that change to get the PCRs to match again so that you can boot normally.

 

You can read Microsoft documentation about bitlocker if you want to know the details about what the PCRs measure.  

 

For more information on bitlocker, visit Microsoft's FAQ page on bitlocker:

 

http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_examplesosrec