We're deploying BitLocker to our organization with Every Windows 7 laptop that is deployed. It is quickly becoming an irritation for me because one day a User's laptop will be working fine...(BitLocker w/TPM, no PIN, no USB drive) and then without any change, the very next day or next reboot, the machine will ask for the BitLocker Recovery Key, and no amount of fiddling with anything on the system will make it go away. the only option we have left is to decrypt the drive, and re-encrypt it. This is happening on all platforms we have deployed with varying configurations, docked, undocked, etc...I can find no discernable pattern to this...I can't find a "Best Practices" for how to deploy this that encompasses everything from BIOS settings, to BOOT Orders, to Software Installed or not installed on workstations... Does anyone have or know of a comprehensive document for troubleshooting bitlocker? I've seen the list of things that can trigger the recovery key mode, and that list basically makes me want to stop deploying it...it seems that all you have to do is breathe wrong on a BitLocker encrypted laptop and it will go into recovery mode. r/ john John Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering

I work for an enterprise org as well and we're looking into Bitlocker. Your story scares me. I'll be watching this thread. And I hope you get a reply soon.Jason Yates

Hi John, I'm not sure of the exact cause of the issue, but you may check if the TPM Base Services is started. Hope it helps. Styx

Hi Jason, It's very good (super) feature develop by Microsoft very secure go ahead . there is no need to scares. TPM IS BASICALLY A HARDWARE CHIP

Thanks for the replies everyone. I'm aware of what the TPM chip is and does...I've found that in some cases the TPM is turned off in the BIOS after a reboot or an undock (not deactivated, just turned off). Checking TPM Base Services is started would help after Windows loads...I'm not sure how that would affect a booting system that asks for recovery key? I'm confused as to the reason why the TPM validation of the system is not enough for BitLocker, that any number of the changes or events that happen here: http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_examplesosrec ..can cause a BitLocker Recovery key scenario... What I'm hoping someone from Microsoft can answer is "How do I troubleshoot this?" where is the log that says you had a BitLocker recovery error because you had a CD in your drive when you booted, or you had undocked your laptop...or you had changed your battery...and why would these things matter??? Seriously it was like the encryption scheme was designed without normal usage scenarios in mind. I'm not trying to cause trouble here, just frustrated at not being able to create documentation for my field service people who have to support this, and wondering why my laptop with BitLocker (one of the first installations we did) has had 0 issues, and I have done almost everything on this list to cause BitLocker to ask for a recovery key...John Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering

Hello John, unforunately there is afaik no troubleshoot-guide. I am the project-leader in our company for bitlocker-deployment on 1000+ PCs/laptops. All our pcs run bitlocker for 6 months now. During planning-phase we tested all combinations(different bootscenarios, different tpm-profiles, dockingstations and so on) we could think about and created a matrix to see wich combination leads to which result (bitlocker unlocks or keeps locked). With this matrix we could find a suitable tpm-profile and got a feeling under which situation bitlocker stays locked. What i found out during the project planning/testing/production period is, that it's important to have a proper TPM-Validation-Profile in the GPO suitable for the productionevironment. Changes to the bootorder, a skipped pxe-boot, a different pxe-server version/product, a changed value in the bios, a detached networkcable, a dockingstation ... all this can lead to a locked system. Sorry that I cant point you to a troubleshooting guide. Here it sometimes it helps just to try a reboot, and sometimes it helps to identify the current constlellation and check it against the testmatrix to find the differences. Greetings Th0u

This might be bold and in poor taste so I apologize ahead of time . . . but can you share this test matrix - devoid of organizational identifiers?Jason Yates

John: I do the same kind of work you do but I'm pretty new at it - despite the fact that I've been working with Windows & Windows servers for 12 years. I was wondering if I could pick your brain sometime - say over the phone or via email. If you're cool with that please drop me a line ( jtyates ATT gmail and you know the rest.)Jason Yates

Hello John, I wrote this article a while back, it should help answer some of the most common causes of Bitlocker Recovery. So far I have not come across a scenario where following the items in this blog did not resolve the problems. The reason there is no logging as to what caused Bitlocker to go into Recovery, and this is my educated thoughts, is that since Windows does not control the BIOS and/or TPM chip along with it being during the Bootmgr of Windows (no logging) that we are unable to capture what exact PCR register changed in order to trip Bitlocker. I have seen scenarios, where BIOS was returning invalid information to Bootmgr due to an outdated BIOS on the system. If you Suspend Bitlocker and then Resume Bitlocker it will reseal the TPM chip and the PCR values. Also, note that Windows Updates have built in logic to not trip Bitlocker into Recovery Mode. http://blogs.technet.com/b/askcore/archive/2010/08/04/issues-resulting-in-bitlocker-recovery-mode-and-their-resolution.aspxTanner --- This is posted as-is and has no warranty or guarantee ---

Hello Jason, the matrix-details itself may not help you, because the results depend on the used hardware/bios/TPM/... as stated by Tanner S. The matrix consists of the pcr0-pcr11 (x-axis) and changes (y-axis). Changes are "use-cases" e.g. "changing bootorder by pressing ESC" or "starting pc w/o nic-cable", or "flashing bios", or "changing biossettings", or "removing hd" , or attaching/removing notebook to dockingstation, or "shutdown pxe-server", or change pxe-server-version. We trimmed all pcs/nb to the latest bios. Then we picked from each pc/nb-model one system for testing. Then we started with a tpm-profile where all pcrs are activated and then we changed things on the system definded in the use-cases and documented if a "change" leads to a bitlocked system. If yes, we deactivated pcrs each by each beginning with pcr 11 and tested again until a change to the system does not lead to a bitlocked system. For example pcr4/5 are sensitive for changes in the boot-process of the pc (the process before the handover to windows 7). We created a matrix for nearly all of our different pc-models (atm 1 brand/5 models). The tests also revealed, that different pc-models from the same vendor (one of the bigger office-pc-brands) behave different. And after the tests i can second the infos from Tanners blogentry, that the tpm-implementation varies and that this is not within the scope of windows. Another part are changes of things inside windows, like installing Updates, manipulating windows and so on. We decided to test this on demand (before rolling out updates). Also our users have no admin-rights, so this prevents changes to windows which may lead to a bitlocked system. Microsoft says that windows.patches may not trigger bitlocker, because windows-files carry a certificate. In contrast to this we had several bitlocked systems after installing win7-mui-en-us. Greetings Th0u

Tanner, Thanks for the information. So what you're saying is that when I encounter one of these scenarios where we cannot find out what happened to trip the BitLocker recovery key we boot the workstation, suspend bitlocker, reboot, (we should be able to start without the key), and then resume bitlocker? Will this keep the same key in place? Will it change the key that is there and give us a new one? Thanks johnJohn Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering

Th0u, Where exactly did you create your tpm-validation-profile? I cannot find any information on how to do it via Group Policy? r/ johnJohn Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering

Hello John, In the gpos under \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive you will find TPM-Validation-Profile. You have to activate it to see the defaults and then you can change it. Greetings Th0u.

I think the key to your issue is that you set the BIOS Boot order to always boot from HDD first before you enable BitLocker. Then the only time you'll see the prompt for the recovery key is if the laptop is booted off some other media like USB or DVD. You might find this helpful for automatically saving the BitLocker keys and TPM information into Active Directory. http://blog.concurrency.com/infrastructure/enable-bitlocker-automatically-save-keys-to-active-directory/ MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide