03-26-2012 06:59 AM
I am using a Lenovo ThinkPad W520 running Microsoft Windows 7 Enterprise with BitLocker enabled and encryption keys stored on the Trusted Platform Module (TPM). The laptop is frequently used with a docking station. No changes have been made to the hardware connected to the laptop, the hardware inside the laptop, or the hardware connected to the docking station. Although the hardware remains unchanged I seem to be randomly prompted with the TPM prompt to unlock the device on startup. This is a severe usability issue. The prompts are so frequent that the TPM no longer provides any value. The value of holding the keys in the TPM is lost when the number of prompts for the key is unpredictable and too frequent.
What events should tigger for the TPM to prompt for the key? Have other users found the TPM to be usable on other W520 machines with Windows 7?
Test System: Lenovo ThinkPad W520
Solved! Go to Solution.
03-26-2012 10:57 AM
Go to BIOS F1 setup, Startup menu, Boot.
What is your boot order?
Best practice for bitlocker, is to remove every device from the boot order that you don't use, and put the HDD at the very top of the boot order.
#1 cause for unexpected bitlocker recovery prompts is not having the HDD at the top of the boot order.
If you changed your hardware configuration or BIOS version recently, then bitlocker will prompt at every boot (by design). To fix this you need to suspend/resume bitlocker protection in the bitlocker control panel.
03-27-2012 06:17 AM
Thanks for the advice "someotherguy." My original boot order had the DVD before the HDD. I disabled all of the devices other than the "ATA HDD0 TOSHIBA MK1661GSY" device, which is now number one and the only entry in the list.
I then used the Microsoft Windows 7 Enterprise "BitLocker Drive Encryption" Control Panel to "Suspend Protection." I then immediate clicked "Resume Protection" to cycle it.
A subsequent shut down / boot cycle booted directly to Microsoft Windows 7 and did not display the TPM prompt.
One guess to explain the toubles is that perhaps leaving movie DVDs in the DVD player was seen as a change event by the BIOS due to the DVD player having been before the HDD in the boot order. I will give this new BIOS configuration some time and see if I can achieve some reliable behavior with the TPM.
03-27-2012 06:32 AM - edited 03-27-2012 06:44 AM
For reference, it appears that entering BIOS and exiting without saving any changes still triggers the TPM to prompt for the key. Rather than discovering all of the actions that trigger the TPM to lock the keys, is there documentation describing the actions? Such documentation would significantly improve the usability as it would make the TPM more predictable.
UPDATE: I performed another reboot to BIOS, changed "Config -> Power -> Optical Drive Speed" from "Normal" to "High Performance" and saved the change to BIOS. This visit to BIOS and saving of changes to settings did not trigger the TPM to prompt for a key.
03-27-2012 02:31 PM
The TPM doesn't prompt for anything. Bitlocker itself is prompting, so to know how bitlocker works, you would need to consult Microsoft.
Here's a website that you may find interesting:
03-27-2012 06:22 PM
I found the bitlocker bios checks to be somewhat odd. One time I was able to 'trick' it to not prompt after a made a change in the bios, saved and exited, got prompted by bitlocker to enter my key (I had left it at home), changed the setting back to what it was in the bios originally and it passed the bios check. No idea if that is supposed to happen or if it was just a fluke.
03-27-2012 07:13 PM
that's normal. When you originally configured bitlocker, it used the current system status (in the TPM Platforn Configuration Registers) to seal the encryption key. The encyption key can only be unsealed for subsequent boots when the PCRs match their original value. When the PCRs are unchanged since the last boot, this tells bitlocker that the system state is trusted and it is not under any kind of attack. So if you change (certain) BIOS settings or do something else to cause a PCR value to change, then you can undo that change to get the PCRs to match again so that you can boot normally.
You can read Microsoft documentation about bitlocker if you want to know the details about what the PCRs measure.