09-21-2011 09:38 PM
My X220 has BIOS 1.21 and a Windows 7 x64 installation with UEFI, and until recently, was using BitLocker drive encryption for two drives (mSATA SSD boot disk and 320gb magnetic data disk). A few days ago, I shrunk the 320gb partition to free up some space for the Windows 8 Developer Preview. I wanted to have this installed as a dual boot option with Windows 7.
I suspended BitLocker to do the Windows 8 installation. That install didn't go so well -- I tried starting the install from within Win 7 since I don't have dual layer media and can't seem to get a thumb drive to boot while in UEFI mode on the X220. Anyway, upon resuming BitLocker and then rebooting, I get prompted for the BitLocker recovery key, every time!
I tried all sorts of things: Decrypting both drives then re-encypting. Getting rid of the failed Windows 8 partition and expanding back D: to its original size. Manually clearing the Windows Setup entry (via bcdedit) that the Win 8 installer left behind. Clearing and re-initializing the TPM. Disabling the TPM in BIOS and then re-enabling. No go! Everything "seems" to work until I have the computer reboot while its drives are encrypted (while the key is not suspended), at which point I am always prompted for the recovery key.
I tried the option which verifies system integrity (through a reboot test) before beginning encryption. This results in the following error dialog which appears twice at the next startup:
Title: BitLocker Drive Encryption
Headline: BitLocker could not be enabled.
Message: The BitLocker encryption key cannot be obtained from the Trusted Platform Module (TPM). C: was not encrypted.
In the System event log, I see the following events logged for this problem from BitLocker-Driver:
Event ID 24636: Bootmgr failed to obtain the BitLocker volume master key from the TPM.
Event ID 24641: An unexpected error was encountered attempting to retrieve the BitLocker volume master key during restart.
If I tell BitLocker to do the system check before encrypting, then I get the above two errors plus a warning:
Event ID 24609: A key was not available from required sources during restart.
Has anyone got an idea of how I may restore my X220's TPM functionality? This is driving me nuts...
Solved! Go to Solution.
09-22-2011 12:11 PM - edited 09-22-2011 12:14 PM
I've run into the same issue.
My guess is that the Windows 8 boot manager cannot properly interact with the TPM through UEFI on the most recent X220 BIOS version.
I suspect that whatever UEFI/Bitocker fix Lenovo made in the 1.21 BIOS only works for the Windows 7 boot manager, and when you installed Windows 8, it moved to a newer boot manager.
For myself, I'm giving up on UEFI for the time being. I'm going to reinstall both OS using legacy BIOS for now and wait for another UEFI update from Lenovo once they start playing with Windows 8.
11-07-2011 04:53 PM
Looking through some internal release notes it appears that a problem with bitlocker and windows 8 has been fixed. The BIOS (version 1.25) is currently undergoing internal testing and will be released probably during November.
11-17-2011 12:02 AM
11-17-2011 06:07 AM
I understand all this, but on the other hand:
1. I am a developer. Windows 8 Developer Preview was also intended for people like me (not just hardware manufacturers).
2. I installed it to a secondary hard drive -- it affected my ability to boot from the encrypted Win 7 drive, which caught me by surprise. There is no reasonable solution to get it working again, aside from Lenovo's claimed upcoming firmware update or purchasing a separate ThinkPad for use with Win 8.
3. I posted the issue here to ensure that Lenovo has plans in place to test their support for BitLocker usage in the scenario I described, with hopes that it will eventually be fixed.
4. I'm very pleased that Lenovo will have the fix published in the next month or so.
For now I am using TrueCrypt to protect my documents, but this is far less ideal for me.
11-28-2011 07:29 AM
The X220 that fixes the Windows 8 bitlocker issue has been released, please see:
The release notes don't specifically list the fix because we aren't supposed to be mentioning Windows 8 things in official technical documentation, yet.
I haven't tested the fix myself, but if you do, please let me know if it solves your problem.