Bitlocker Recovery Key Issue

[johnsonrs12]

This is a fun one. I have a precision dell m4700 that uses bitlocker recovery because it is a work laptop. Randomly this pc upon booting up will ask for recovery key.
I have reimaged this PC 3 different times. And upon testing i do about 7-10 reboots and randomly out of those times it will ask for recovery key. Even if i type the recovery key in, 3 reboots later it will ask again.
TPM settings are correct, i have also update them through Dell, I have also updated the BIOS, swapped the hard drive, made sure it was a secure connection between motherboard and SSD, and no avail. I can decrypt it no issue, but the laptop must be encrypted. No issues occur during the encryption.
I have also update windows before and after to see if issue persist and it does.
Any suggestions besides swapping out the motherboard? That is my last option. Thank you

 

[cdogg]

BitLocker is detecting some kind of hardware change or hardware inconsistency during bootup, though the fact that it's random is odd.

In Windows, go to "Manage BitLocker" (you can type it in the Start Menu). Choose the option to suspend BitLocker and reboot. After rebooting, go back to "Manage BitLocker" and choose Resume.

This will allow any detected hardware changes to become a part of the new BitLocker signature, hopefully resolving the issue. Because it was random, however, you might want to consider multiple reboots with BitLocker suspended before resuming.



-Carl
"The glass is neither half-full nor half-empty: it's twice as big as it needs to be."

[tab][navy]For this site's posting policies, click [/navy]here.

 

[goombawaho]

Why not turn bitlocker off and just use a SATA HDD password? I would consider that safer in the sense of less risk getting your data encrypted and unrecoverable.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[johnsonrs12]

Not an option, must be encrypted percompany policy, extreme confidential governemtn files.

 

[goombawaho]

Are you sure there's a difference - a locked SATA drive might as well be encrypted from what I understand, i.e. inaccessible.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[strongm]

Not entirely true, goombawaho

 

[cdogg]

johnsonrs12,
Did that workaround I suggested above work?

Goom,
A locked SATA drive is better than nothing, but I believe it is less secure than BitLocker. The reason is if someone stole the entire PC, they could boot into another OS from CD, such as Linux, and access the contents on the drive. However, with a BitLocker-encrypted drive, that wouldn't be possible. Also, in medium and large-sized companies, managing BitLocker recovery keys that are randomly generated in Active Directory is a much easier task than managing a SATA HDD password on each individual workstation.

Regardless, if there's a company policy enforcing it, then disabling BitLocker wouldn't be an option.

-Carl
"The glass is neither half-full nor half-empty: it's twice as big as it needs to be."

[tab][navy]For this site's posting policies, click [/navy]here.

 

[goombawaho]

The reason is if someone stole the entire PC, they could boot into another OS from CD, such as Linux, and access the contents on the drive.

This is not correct. The ATA password travels with the drive. Slaving it in another system won't allow access.

strongm - care to elaborate on your dissent.

A S.E.D. (self-encrypting drive) would be the best option vs. ATA password, vs. software encryption in terms of both performance and encryption security.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[strongm]

A-FF Repair Station

 

[cdogg]

Goom,
I think you missed my analogy. I said if someone stole the entire PC. They wouldn't need to slave the drive at that point.

A S.E.D. (self-encrypting drive) would be the best option vs. ATA password, vs. software encryption in terms of both performance and encryption security

In terms of cost, BitLocker is very much the most effective option for most medium-sized companies and larger that already have a license for Windows 7 Enterprise. Also don't forget about the ease of manage recovery keys centrally. This is a breeze with BitLocker. Unless there's a security flaw you know of, I don't see how it's level of security is an issue here.

-Carl
"The glass is neither half-full nor half-empty: it's twice as big as it needs to be."

[tab][navy]For this site's posting policies, click [/navy]here.

 

[strongm]

> in terms of both performance and encryption security

Performance, yes. Encryption security not so much.

https://www1.informatik.uni-erlangen.de/filepool/projects/sed/seds-at-risks.pdf

 

[cdogg]

Interesting link strongm, thanks for sharing. BitLocker is by no means the most secure option out there either, but it does an adequate job.

It might be a moot point anyway, since the company the OP works for requires it.

 

[johnsonrs12]

Sorry CDOGG i tried yesterday, bitlocker came on again about 30 min ago. I took out battery, rebooted and didnt ask. Its so wierd. I just replaced the motherboard yesterday too. Dont know what else to do.

 

[cdogg]

Can you verify the user isn't plugging a device into the USB port from time to time? Maybe that's tripping it.

If not, then I suggest you disable BitLocker completely and give it time to decrypt the drive. Reboot and re-enable BitLocker. If the computer belongs to a domain where BitLocker recovery keys are stored in Active Directory, then you need to run the following command:

1. Open cmd.exe as Administrator

2. Type \\server\share\OSDBitLocker.exe /enable /wait:False /mode:TPM /pwd:AD (\\server\share is where your SCCM administrator stores the OSDBitLocker executable)

The workstation will begin encrypting the hard drive which may take up to an hour to complete. You can shut it down or reboot it in the meantime, as it will resume automatically at next startup.

 

[johnsonrs12]

I swapped out mother board yesterday, cleared tpm settings, start bitlocker automatically using active directory. Issue came up. Suspended bitlocker, install updates, issue still persist. No users on computer except me. I have screen shots im trying to figure out to upload them on here

 

[johnsonrs12]

http://files.engineering.com/getfil...-8397-f57124a918d7&file=bitlocker_error_1.JPG

http://files.engineering.com/getfil...-851a-f247d88b1289&file=bitlocker_error_2.JPG

here they are

 

[cdogg]

Yeah, that's what we come across all the time where I work. Usually the suspend, reboot, resume workaround fixes it though. Either that or decrypting/encrypting the drive.

Sorry, I'm all out of suggestions. Might be worth contacting Dell to see if it's a known issue with that model.

 

[johnsonrs12]

Yea our cyber security guard is out of suggesstions too, hell with it. Thank you for staying with post and trying to help.