BitLocker requests encryption key at every boot
I have installed and set up BitLocker on a Sony VAIO with a TPM 1.2 chip. The drive has been fully encrypted. With BitLocker on, everytime the system boots I get the following message: Windows BitLocker Drive Encryption Information The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system. Confirm that the boot changes to this system are authorized. If the changes to the boot system are trusted, thendisable and re-enable BitLocker. This will reset BitLocker to use the new boot information. Otherwise, restore thesystem boot information. ENTER=Continue I have tried disabling and re-enabling Bitlocker (disable; reboot; enable; reboot) and get the same message. I have even tried disabling to the point of decrypting and then re-encrypting the whole drive. Neither apporach has worked. According to the BitLocker FAQ, one of the following should trigger the message I'm getting: Unauthorized changing of the BIOS, master boot record (MBR), boot sector, boot manager, or other early boot components would cause a failure in the integrity checks and keep the TPM-protected key from being released. This is by design because unauthorized modification of any of those components could and should be perceived as an attack. Of course, the BitLocker feature provides methods for authenticated system administrators to update these components if required. None of that has happened. Any suggestions? Thanks in advance.
February 13th, 2007 12:28am
WHat other software is on you system other then windows ? AV , disk utilities , and other stuff
February 13th, 2007 3:36pm
Dear All I have the exact same problem with my Sony Vaio SZ1 with a TPM 1.2. I have performed a clean installof Vista. I have not installed any additional software as I wanted to set up the TPM first. On running the BitLocker setup wizard it runs the test to ensure that the computer will boot with the USB Flash device attached before encrypting. On restart I get the same error message as above and turning TPM off, reboot, TPM on reboot, makes no difference. Any thoughts on what to try?
February 18th, 2007 12:00pm
Same problem here with a Vaio SZ330P. Requests key on every boot. Have tried everything MS suggests. Would love to hear if anyone finds a solution.
March 4th, 2007 1:41am
did you wipe the hidden partion on the sony drive ? also what av are you running
March 6th, 2007 2:26pm
I did wipe the hidden sony partition (followed the windows instructions to prepare drive in dos prior to installing vista). This deleted the sony partition and created the two new partitions required as per instructions. AV - I have CA Anti virus (Californi Associates) - but am fairly certain that when I was trying to get bitlocker to work I had not yet installed any addiitonal software. Thanks
March 6th, 2007 3:08pm
I have a SZ120P and I did a full wipe. I am using ESET's NOD32. I am trying to exclude boot file scans now...
March 6th, 2007 8:50pm
Same for me. Sony VGN-TXN27N. I left the Sony recovery partition there and used the Vista Ultimate tool to repartition the drive. I naiively assumed if the tool ran without error then the partitioning was okay for bitlocker. Do folks think it is really necessary to remove the recovery partition?
March 9th, 2007 8:46pm
Addendum to my previous post. Since the message implies the TPM has detected a boot path modification,I used group policy to modify the TPM Platform Validation Profile so that only PCR 11 is used. This appears to disable all checks and the system boots correctly without requiring a key from me. So now the question is, which of the default PCR indices (0, 2, 4, 8, 9 , and 10) are causing boot validation to fail. I can't tell if I can disable bitlocker and change the Platform Validation Profile, or whether I have to completely decrypt and re-encrypt to have the changes take effect. Does anyone know? If it's the former it'll be easy to find the culprit. I'm tired of these 5 hour experiments :(
March 10th, 2007 4:38am
You don't have to have the entire hard drive encrypted to test that. Just start encrypting it, then pause encryption then reboot and test.
March 11th, 2007 5:52pm
I tested all of them. If I leave out "PCR 9:NTFS Boot Block " it boots up without the error message. If this solves your problem please post in thread. Thanks, Daniel
March 12th, 2007 1:11am
Update: I hibernated the system, and now it's asking me for the key again :( This is getting rather tedious! back to testing each one....
March 12th, 2007 3:00pm
I too am having the same problem with recovery at every reboot. I am using a Vaio SZ4 with TPM 1.2.
March 12th, 2007 4:31pm
A couple of updates on this... I confirmed with someone at Microsoft that the PCR policy settings are re-read each time the disk is sealed, so you can disable/change/enable and the new settings are used. On my Sony VGN TXT27N I disabled all PCR settings except 11 and things worked fine. Then I enabled them one by one and still everything worked fine with the default profile (0, 2, 4, 8, 9, 10, 11). I'm not sure why, since initially I was getting the recovery screen with the defaultprofile. Something clearly isn't quite right, but for now I have the defaults turned on and bitlocker is happy, even coming back from hibernation.
March 13th, 2007 5:04am
Mr Zebedee, I'd be really grateful if you could explain how to disable the PCR settings since I'd like to try this fix too. It's a real pain having to enter the bitlocker recovery key every reboot. ThanksMr. Zebedee wrote:A couple of updates on this... I confirmed with someone at Microsoft that the PCR policy settings are re-read each time the disk is sealed, so you can disable/change/enable and the new settings are used. On my Sony VGN TXT27N I disabled all PCR settings except 11 and things worked fine. Then I enabled them one by one and still everything worked fine with the default profile (0, 2, 4, 8, 9, 10, 11). I'm not sure why, since initially I was getting the recovery screen with the default profile. Something clearly isn't quite right, but for now I have the defaults turned on and bitlocker is happy, even coming back from hibernation.
March 15th, 2007 2:17pm
Start Orb->Run (or in the search field)->gpedit.msc Drill down to Administrative Templates - Windows Components -Bitlocker Drive Encryption. in the right hand pane of the window click on "Configure TPM Platform Validation Profile" This has all the PCR settings.
March 15th, 2007 5:23pm
I tried disabling all PCR settings except 11 and I still get the recovery screen after a reboot :( Daniel N wrote: Start Orb->Run (or in the search field)->gpedit.msc Drill down to Administrative Templates - Windows Components -Bitlocker Drive Encryption. in the right hand pane of the window click on "Configure TPM Platform Validation Profile" This has all the PCR settings.
March 15th, 2007 6:41pm
When I tested it the setting didn't take effect unless I turned off bitlocker and decrypted the drive then turned it back on with the new setting applied. I forgot to mention in the last post too, open an administrative commmand prompt. (right click on CMD and click Run As Administrator) and type "gpupdate /force" this reloads the GPO. (it usually take a little while for them to refresh by default.) An earlier post in this thread states that you just need to apply the new PCR settings and reboot, but from my own testing you really do need to disable, decrypt, enable and encrypt with a new key. The only way I found to speed things up without having to wait for the drive to fully encrypt each time was to skip the test, and right away click on the pause encryption option in the ecryption dialog box. I would then perform my reboot test. I have to do it all again though. A reboot test and a hibernate test. It seems hibernating the workstaion also changes startup information on the computer that bitlocker doesn't like.
March 15th, 2007 6:50pm
I've had the same problem on a Vaio SZ2XP - get encryption key request at every boot. Don't suppose anyone has found a permanent solution to this problem?
April 17th, 2007 1:22am
Please make sure the VAIO is configured as such: 1. TPM must be enabled in BIOS 2. External Drive Boot must be enabled in BIOS. 3. Change the Boot order in BIOS: 1. Internal Optical Drive 2. Floppy Disk Drive 3. Internal Hard Disk Drive 4. USB Flash Then the order of the remaining drives does not matter.
June 6th, 2007 10:55am
I tried this on my SZ2XP but it didn't appear to work. The laptop still requests encryption key at every boot. Sony have told me they won't support Bitlocker - so have almost given up on this one unless someone has found a way to get it working?
June 9th, 2007 9:35pm
First disable Bitlocker (do not decrypt!!!) 2. take ownership of the TMP chip 3. reboot 4. Initialize TPM chip enter pswd on TMP chip 5. Enable Bitlocker drive is still encrypted and your tmp chip is loaded. and won't request keys on boot. regards. Patrick Veldboer
June 15th, 2007 3:58pm
I am still having troubles getting this to work, but thanks for the advice. I'll post an update if I figure this out. wng
July 20th, 2007 9:57am
Hi, DO you have any updates on this? I too have the same problem.
December 1st, 2007 10:17pm
Hi Wordsun, Have you found a fix? I am having the same problem. Sailor22
December 29th, 2007 11:54pm
I asked Sony again if they had any plans to update their drivers/BIOS to accommodate BitLocker properlyforthe SZ2XP and they said "no plans at present".
January 16th, 2008 2:45am
have you chekc in the bios to make sure the TMP is turned on ?
February 11th, 2010 3:02am
What has worked for me is: 1. Boot up 2. Go to Control Panel then BitLocker Drive Encryption 3. Click Suspend Protection 4. Click Enable Protection Rebooted and was all good.
February 13th, 2010 12:39am
Amazing... this worked for me too!Did try to reset the tpm password with the "bitlocker file" password, but all the time it kept asking for the key at boot.After suspend and resume protection, I restarted and it was gone!!Thnx Esvabas!
March 5th, 2010 9:33pm
Hi Esvabas / Softgrid_applicatorWhich model of Sony Vaio are you using? Just tried this approach but still getting encryption key request at every boot...Mine is the SZ2XP.
March 12th, 2010 1:27pm
Well I finally managed to get Bitlocker working properly on my Vaio VGN-SZ2XP by flashing the BIOS with one designed for a later (bitlocker compatible) SZ model. I'd just upgraded to Windows 7 Ultimate and Bitlocker was still requesting key at every boot..My inspiration was these threads which mention using a later SZ model BIOS on earlier SZ models.http://forum.notebookreview.com/showthread.php?t=118601http://forum.notebookreview.com/showthread.php?t=189228In my case I used BIOS version R0112N0 designed for the SZ440. Downloaded from herehttp://esupport.sony.com/US/perl/swu-download.pl?mdl=VGNSZ440&upd_id=2717&os_id=29Sony state this BIOS supports Bitlocker. The installer complained when I tried to run it that it's not for my notebook model. I got around that by extracting with Universal Extractorhttp://legroom.net/software/uniextract and ran the executable located in the TEMPEXEFOLDER folder. An anxious minute or so passed, the BIOS was flashed, the SZ2XP rebooted. I enabled bitlocker, encrypted the drive, rebooted - and NO MORE key request at boot time!I did this a few days ago and system has been fine since - of course using a BIOS not designed specifically for my model is a risk, but so far so good. And I have Bitlocker fully functioning. Very pleased.
March 13th, 2010 7:39am
Same worked well here on an IBM Lenovo Laptop. Thanks bunches! Small sidenote: step 3 reads "Resume Protection" and not enable protection. Guess most can figure that out themselves though :) I have created a step by step tutorial including screenshots of how to accomplish this at: http://www.zomers.eu/knowledge/misc/Pages/Solve-having-to-enter-your-BitLocker-key-every-time-at-Windows-boot.aspx
June 27th, 2011 4:50pm