08-14-2017 07:48 AM
On X270 [Model : 20K5S29H00], with Windows 7 and Legacy Bios [1.19], every time the machine is shutdown it asks for Bitlocker Recovery key. When the machine is restarted, it does not prompt at all. There are no special PCR's configuration. Not sure what else have to be checked in. Any help ?
Solved! Go to Solution.
08-15-2017 10:40 AM
Is this the same issue you reported here? https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/X270-Bitlocker-requests-recovery-key-every-ti...
Your last update in that thread was that you removed some other software and your problem stopped. And you tested multiple reboots and shutdowns.
What's changed since then?
08-15-2017 10:43 AM
Hi - Yes, the issue is somewhat similar. But it seems that was not the right solution - Symantec products.
This time there is no change with our image deployments and only thing it happens is only during the shutdown. If i restart everytime all looks good. Can you please confirm if in my boot order before imaging the device, the first one should be the HDD and then followed by others ?
08-15-2017 12:22 PM
I believe this is the cause of all our problems. In our Boot order, we have the following
1. Windows Boot Manager
2. USD CD
3. USDB FDD
4. NvmE0 Samsung HDD
5. ATA HDD1
So do you want us to change the boot order and make NvMe0 Samsung HDD as first ?
08-15-2017 12:38 PM
It is MSFT's best practice to put HDD as 1st in the boot order. If you don't do this, then you may get unexpected recovery prompts. https://technet.microsoft.com/en-us/library/hh831507(v=ws.11).aspx
You told me earlier that you are doing legacy boot, but legacy boot does not put a "Windows Boot Manager" entry in the boot order. So at some point you must have booted a UEFI-enabled OS. Having this UEFI boot entry for legacy Windows might also cause a problem.
08-15-2017 03:58 PM
This boot order is from out-of-the box device. As we unpack and went in to BIOS, this is what we found.
Right, and you will have to change the boot order as per MSFT's best-practice for deploying BitLocker. It can be done in a remote/automated way by using WMI: https://support.lenovo.com/us/en/solutions/ht100612
08-18-2017 09:56 AM
I have just spent the last 3 days working on this same issue. This is only a suggestion and let us know what happens. So far is working on the machines that I am still testing today on windows 7x64 T470 and X270.
*Make sure you have updated the bios to the latest version.
Set the TPM 1.2
Secure boot disabled
UEFI\LEGACY = BOTH = LEGACY FIRST
This is what everyone suggest
What I changed today is that I set in the boot order - Hard drive first.
remove the windows boot manager to the end of the list.
So far I am testing 6 machines with different boot options and I have not received the bitlocker key request since I have made the change.
Let me know what happens. crossing fingers.