07-20-2017 10:39 AM
Thanks. We are seeing this issue only on X270 but not on others. Like we have X1 Carbon G5, G4, G3 and X240 and X250's. We are using the same process to build the images. As soon as the image is build with SCCM and a reboot happens for any Software update, it keeps asking the Recovery key.
I am going to Suspend/Resume the Bitlocker, but would be an tedious job for all the 300 devices that we are planning for. Any suggestions please ?
07-20-2017 10:45 AM
If suspend/resume works, it means BitLocker somehow sealed the encryption key to some temporary HW/BIOS configuration that was later changed. Such as BIOS update, boot order, some setting, etc. If suspend/resume doesn't work, and BitLocker still prompts for recovery key after every reboot, something else is going on.
07-21-2017 06:45 AM
It still prompts for recovery key after resume/suspend. So what else needs to be checked ?
Can you post a screenshot of diskmgmt.msc, and a screenshot of tpm.msc?
07-21-2017 06:48 AM
I'm in the process of re-deploying my T470s with different BIOS configuration - aiming to seeif there is a reliable / repeatable failure state. But following up on kuvinod7's last post - I had a T470s displayiong the issue, if I did a FULL decrypt / soft reboot / encrypt it would then soft reboot ok. However as soon as I cold boot the problem came back.
Just FYI, out North American team have reported that Win10 + legacy mode also cuases the recovery key prompt - if they go back to UEFI its fine. Not wanting to jump to conclusions on that basis, but for us its definietly works better under UEFI / Win10. Also I should have pointed out our SKU (20JT) - this is a so-called 'Skabylake' model
07-21-2017 07:53 AM
Your screenshots are showing Win7 legacy boot with TPM 1.2. Same config on X270 works here. So I have no idea what the problem is. But we can do one more test.
1. download this .zip and extract to your system that is failing: https://www.dropbox.com/s/mxl53f2dpl5vuwn/readPcr.zip?dl=0
2. suspend BitLocker
3. open command prompt as admin
4. run "readPcr.exe > 1.txt" and save 1.txt
5. resume BitLocker
6. reboot the system. I guess you see a recovery prompt. enter the recovery key and boot Windows
7. open command prompt as admin
8. run "readPcr.exe > 2.txt" and save 2.txt
9. create a .zip file with 1.txt and 2.txt, and post it here