BitLocker on Intel DX79TO Motherboard Requiring 48 Digit Recovery Key on Every Reboot
I recently purchased an Intel DX79TO motherboard. A primary reason for choosing this motherboard was the integrated TPM which would allow me to run BitLocker. But I'm having problems in which whenever I shutdown the computer (cold boot) I am prompted for the 48 digit BitLocker recovery key every time. Has anyone else been able to get BitLocker to work on an Intel DX79TO motherboard? Or any ideas on how to fix this problem? None of the similar problems I've found (when Googling this site or the web in general) have worked for me. On my PC BitLocker seems to think something has changed in the hardware (and thus the prompt for the 48 digit recovery key)? I double checked the BIOS settings and the few options I changed are still set the same way as before. I had not made any additional hardware or software changes. So I can't envision any reason why BitLocker would think there had been a hardware change. I opened a trouble report with Intel. But two Intel engineers have emailed and their assertion is that the DX79TO motherboard is fine and the problem is with Microsoft (BitLocker). I've had about 20 different computers over the years (since BitLocker was first released) and this is the only one I've had this problem with. Most of these were non-Intel motherboards, but I have one other Intel motherboard (DQ67EP) and have been able to get BitLocker working on all of them. The Intel engineers are quick to point out the DQ67EP has a different chipset than the DX79TO and I agree, but given BitLocker has worked for every other motherboard I've used my suspicion is this is a hardware problem with the Intel DX79TO motherboard? My recollection is that when I've been prompted for this 48 digit recovery key in the past that after I logged on to Windows I suspended BitLocker and the rebooted (warm boot) the machine. After the reboot and logon was completed I re-enabled BitLocker. And I believe I was never prompted for the 48 digit recovery key after that point (even after a cold boot)? Non-Intel motherboards typically have an option in the BIOS that lets you clear the TPM. And it is possible I might have done that and forgot about it? But the point is that I was able to reset the TPM configuration and get BitLocker to work properly on every other system I've used. Here is my configuration: Intel Core i7-3930K Intel DX79TO Motherboard (Upgraded to BIOS version 0494). 32 Gb (8 x 4 Gb) Corsair Vengeance DDR3-1600 EVGA GeForce GTX 460 Samsung 830 Series (2 drives in RAID0 connected to 6 Gbps SATA ports) Western Digital 1 Tb Caviar Black - WD1001FALS Creative X-Fi XtremeMusic Antec CP-850 Watts Windows 7 x64 Ultimate Other than the Motherboard (and CPU which I wouldn't think should make any significant difference) the one difference between this PC and others I've had working with BitLocker is that I do not have a DVD drive on this PC. In reading this link: http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/66b8fa61-5603-4e9b-a7de-e8226086e568 it seemed to imply that on this HP machine if a DVD drive wasn't listed in the BIOS that could cause problems for BitLocker? I wouldn't think the absence of a DVD drive on this PC should make any difference in whether or not BitLocker functioned properly? I did use an external (USB) DVD drive in order to install some software on this computer. I wasn't sure if I had the DVD drive plugged in when I enabled BitLocker or not. So as an additional test I decrypted the drives and then used the Windows TPM management screens to clear ans reset the TPM. One screen mentioned the TPM would be reset to factory defaults and all keys would be lost. After the reboot and logon I was prompted to initialize the TPM. At this point in time I believe I am starting from a clean slate. The TPM was completely reinitialized. All hardware and software had already been installed. No BIOS changes were made. So this should be a completely fresh start for BitLocker. But after re-enabling BitLocker and re-encrypting the RAID0 C Drive a reset (warm reboot) worked normally. But after a shutdown (cold reboot) and powering back on the PC I was again prompted for the 48 digit recovery key. Since the DX79TO is an enthusiast motherboard there may not be many people trying to use BitLocker with this motherboard? I don't have any idea what the market penetration is for BitLocker in general. It may be fairly low? In Googling I found some possible matches, but in reading webpages I haven't found anyone who mentioned they're actually using BitLocker with the DX79TO. I initially purchased a Core i7-3820 CPU. But there were BIOS incompatibilities and I could not get that CPU to work on two different DX79TO motherboards. (The motherboard would consistently power off 5 seconds after starting the system.) Working with Intel I eventually replaced the CPU with the Core i7-3930K. Prior to installing Windows 7 I upgraded the BIOS to the latest version available (from 0218 to 0494). The Intel engineers are asserting the problem is with Microsoft. I am hoping this forum will be effective in getting a fix, but otherwise as an individual consumer I don't know if I have any way to get a fix for this problem? I had other issues with this motherboard. My suspicion is that every DX79TO would have this same BitLocker problem, but given the other problems and difficulty of reinstalling software I am not keen on trying to get another DX79TO to see if the BitLocker problem goes away. I don't think it is too likely my problem is unique to this particular DX79TO motherboard. In addition to telling me the problem is with Microsoft the Intel engineers have suggested some type of a reset to the BIOS. Certainly not my first choice, but probably easier than trying to get another DX79TO. Their suggestion made me think that perhaps I should backup this PC and then pull the existing drives, reset the BIOS, and then try with a new single (non-RAID) hard drive. With that configuration I should be able to eliminate any changes I made to the BIOS to setup my system (other than changing the date and time). I could also temporarily add a DVD drive from another computer and/or pull the Creative X-Fi. To have as little change as possible to the hardware before trying to enable BitLocker. While composing this question I came across this link: http://blogs.technet.com/b/askcore/archive/2010/08/04/issues-resulting-in-bitlocker-recovery-mode-and-their-resolution.aspx Microsoft mentions that the HDD should be listed first in the boot order and not a DVD drive (or the presence of any media in the drive could change the TPMs view of the world). So it doesn't sound like a DVD drive is required to be included for BitLocker to function. And in my case the RAID0 SSD drive is listed first in the boot order. Thanks for any insight you can provide into resolving this problem.
June 7th, 2012 2:16pm

Hi, Do you use the function keys to enter the PIN pin or the 48-character recovery password? The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. For more information about enhanced PINs see What is the difference between a TPM owner password, recovery password, recovery key, PIN, enhanced PIN, and startup key?(http://technet.microsoft.com/en-us/library/ee449438(v=WS.10).aspx#BKMK_Key) If there is anything unclear, please visit windows 7 forum to get a better anwser: Windows 7 Security http://social.technet.microsoft.com/Forums/en/w7itprosecurity/threads Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 2:32am

Elytis, No, I am only using the TPM chip on the motherboard. No PIN or USB key. Thanks.
June 11th, 2012 2:32pm

Just a quick reply to signal that i have the exact same problem with the exact same motherboard. No matter which bios version i use, from day one bitlocker isn't working (or only on the first cold boot) correctly. I'm currently trying to find a way to get the PCR registers to check what change at each boot and disable the wrong one from the bitlocker checks. I tried also moving from UEFI boot to BIOS boot but no result.
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2012 6:34am

timhor, I came across a workaround for this problem. While not ideal it may be of some help. I found a Microsoft forum in Japanese. This person mentioned having the same DX79TO motherboard and a problem description that looked nearly identical to my own. Somehow this person realized that by disabling some of the BitLocker encryption options that he could work around the problem. Their menu seems to be different from mine. (I didnt notice if they mentioned Windows 7 or not.) But in general you navigate to the Local Policy related to BitLocker for OS Boot Drives and change the TPM options. In their case they deselected these two options: PCR 0: Core Root of Trust Measurement (CRTM), BIOS, and Platform Extensions PCR 1: Platform and Motherboard Configuration and Data In my case PCR 1 was already not enabled even though this appears to be one of the default options. I reset the TPM, deselected PCR 0, and then restarted the encryption process. Now I am able to shutdown and boot the system normally without being prompted for the 48 digit key. Part of the purpose of using the TPM is to "tie" the hard drive to the motherboard. And these two options in particular look like they help to make that a reality. So deselecting them obviously makes the drive less secure than Microsoft intended to be the default configuration. I've contacted Intel with the updated information. Given you're now the third person having this difficulty I think it should be a little more obvious there is a problem. Though they may still insist the problem is with Microsoft software? From our point of view I don't know of any way to isolate the problem any further. Between Intel and Microsoft their engineers need to find a solution for this problem. If you're curious the URL I found is here: http://answers.microsoft.com/ja-jp/windows/forum/windows_7-security/tpm%E3%82%92%E4%BD%BF%E3%81%A3%E3%81%9Fbitlocker/0ba9d967-d01d-47a4-beff-8ee7443da542?msgId=11703c2b-4edf-40d6-b162-ad5cb6966e79
June 19th, 2012 11:45pm

Yeah mostly did the same Trying to find which PCR was a blocker (like it took forever to get WLK & tpmppi ) so i decided to test manually all PCRs I disabled TPM / resumed it without removing encryption / reseting TPM. Via local GPO i removed all but 11 and re-enabled them 1 by 1. I don't think nor have seen anything saying it's necessary to reset TPM to change the register needed. In the end i re-enabled all of them (0,2,4,5,8,9,10,11) and still i was able to boot from cold boot. The 'funny' part is that now tpm is working on cold boot, it doesn't anymore work on warm reboot (ask for recovery key). When i discovered about warm reboot issue i restarted from scratch my tests. Aka, redisabled all PCR except 11. Result was : cold boot : ok warm reboot : fail But you have to use PCR 11 for bitlocker to work. Kinda weird. I do use startup key + TPM. I might just switch to startup key if it bother me too much.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 4:00am

timhor, Your symptoms are a little different than mine. I'm not sure exactly why. Might have something to do with what other hardware each of us have connected to the motherboard? Got a new reply from Intel. They still think this is a problem that Microsoft will need to fix. Until that gets done if you need BitLocker and don't want to try and disable various "options" and lower the security requirements in order to make this work then I guess you'll need to look for another motherboard? Here's part of what Intel wrote to me: Thank you again for contacting Intel Customer Support. You would need to gather assistance from Microsoft in order for you to be able to determine how this software uses the motherboard resources, limitations, and compatibility data. Since Intel has not developed the third party software in question; we are unable to guess how the software was developed and customized for the Intel Desktop Board DX79TO and why it would ask you for a 48 digits key (also available through Microsoft) depending on the system settings. Everything being indicated pretty much addresses to a compatibility conflict; still, this is something to be confirmed by your software developer (Microsoft).
June 20th, 2012 9:11am

the first symptoms where the same : ask for 48 digits recovery key on cold boot once encrypted with that motherboard. (even if it was working for reboot) now it's the opposite, cold boot is ok and warm reboot fail. But this one is ok for me for now (i can power cycle if i need to reboot :) and this computer isn't intended to reboot) I have a very basic setup here : DX79TO, i7 3930x, 4*4GB of vengeance ram gtx570, Crucial M4 120GB SSD Intel's answer is kinda... weird. Microsoft didn't made a software for this mobo, it's based on specifications, the same specifications that intel should have used for the tpm chipset. I have a dozen of encrypted hardware with bitlocker and they all work correctly except this intel mobo that is failing.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 10:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics