BitLocker requests encryption key at every boot
I have installed and set up BitLocker on a Sony VAIO with a TPM 1.2 chip. The drive has been fully encrypted. With BitLocker on, everytime the system boots I get the following message: Windows BitLocker Drive Encryption Information The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system. Confirm that the boot changes to this system are authorized. If the changes to the boot system are trusted, thendisable and re-enable BitLocker. This will reset BitLocker to use the new boot information. Otherwise, restore thesystem boot information. ENTER=Continue I have tried disabling and re-enabling Bitlocker (disable; reboot; enable; reboot) and get the same message. I have even tried disabling to the point of decrypting and then re-encrypting the whole drive. Neither apporach has worked. According to the BitLocker FAQ, one of the following should trigger the message I'm getting: Unauthorized changing of the BIOS, master boot record (MBR), boot sector, boot manager, or other early boot components would cause a failure in the integrity checks and keep the TPM-protected key from being released. This is by design because unauthorized modification of any of those components could and should be perceived as an attack. Of course, the BitLocker feature provides methods for authenticated system administrators to update these components if required. None of that has happened. Any suggestions? Thanks in advance.
February 12th, 2007 4:28pm

WHat other software is on you system other then windows ? AV , disk utilities , and other stuff
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2007 7:36am

Dear All I have the exact same problem with my Sony Vaio SZ1 with a TPM 1.2. I have performed a clean installof Vista. I have not installed any additional software as I wanted to set up the TPM first. On running the BitLocker setup wizard it runs the test to ensure that the computer will boot with the USB Flash device attached before encrypting. On restart I get the same error message as above and turning TPM off, reboot, TPM on reboot, makes no difference. Any thoughts on what to try?
February 18th, 2007 4:00am

Same problem here with a Vaio SZ330P. Requests key on every boot. Have tried everything MS suggests. Would love to hear if anyone finds a solution.
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2007 5:41pm

did you wipe the hidden partion on the sony drive ? also what av are you running
March 6th, 2007 6:26am

I did wipe the hidden sony partition (followed the windows instructions to prepare drive in dos prior to installing vista). This deleted the sony partition and created the two new partitions required as per instructions. AV - I have CA Anti virus (Californi Associates) - but am fairly certain that when I was trying to get bitlocker to work I had not yet installed any addiitonal software. Thanks
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2007 7:08am

I have a SZ120P and I did a full wipe. I am using ESET's NOD32. I am trying to exclude boot file scans now...
March 6th, 2007 12:50pm

Same for me. Sony VGN-TXN27N. I left the Sony recovery partition there and used the Vista Ultimate tool to repartition the drive. I naiively assumed if the tool ran without error then the partitioning was okay for bitlocker. Do folks think it is really necessary to remove the recovery partition?
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2007 12:46pm

Addendum to my previous post. Since the message implies the TPM has detected a boot path modification,I used group policy to modify the TPM Platform Validation Profile so that only PCR 11 is used. This appears to disable all checks and the system boots correctly without requiring a key from me. So now the question is, which of the default PCR indices (0, 2, 4, 8, 9 , and 10) are causing boot validation to fail. I can't tell if I can disable bitlocker and change the Platform Validation Profile, or whether I have to completely decrypt and re-encrypt to have the changes take effect. Does anyone know? If it's the former it'll be easy to find the culprit. I'm tired of these 5 hour experiments :(
March 9th, 2007 8:38pm

You don't have to have the entire hard drive encrypted to test that. Just start encrypting it, then pause encryption then reboot and test.
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2007 10:52am

I tested all of them. If I leave out "PCR 9:NTFS Boot Block " it boots up without the error message. If this solves your problem please post in thread. Thanks, Daniel
March 11th, 2007 6:11pm

Update: I hibernated the system, and now it's asking me for the key again :( This is getting rather tedious! back to testing each one....
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2007 8:00am

I too am having the same problem with recovery at every reboot. I am using a Vaio SZ4 with TPM 1.2.
March 12th, 2007 9:31am

A couple of updates on this... I confirmed with someone at Microsoft that the PCR policy settings are re-read each time the disk is sealed, so you can disable/change/enable and the new settings are used. On my Sony VGN TXT27N I disabled all PCR settings except 11 and things worked fine. Then I enabled them one by one and still everything worked fine with the default profile (0, 2, 4, 8, 9, 10, 11). I'm not sure why, since initially I was getting the recovery screen with the defaultprofile. Something clearly isn't quite right, but for now I have the defaults turned on and bitlocker is happy, even coming back from hibernation.
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2007 10:04pm

Mr Zebedee, I'd be really grateful if you could explain how to disable the PCR settings since I'd like to try this fix too. It's a real pain having to enter the bitlocker recovery key every reboot. ThanksMr. Zebedee wrote:A couple of updates on this... I confirmed with someone at Microsoft that the PCR policy settings are re-read each time the disk is sealed, so you can disable/change/enable and the new settings are used. On my Sony VGN TXT27N I disabled all PCR settings except 11 and things worked fine. Then I enabled them one by one and still everything worked fine with the default profile (0, 2, 4, 8, 9, 10, 11). I'm not sure why, since initially I was getting the recovery screen with the default profile. Something clearly isn't quite right, but for now I have the defaults turned on and bitlocker is happy, even coming back from hibernation.
March 15th, 2007 7:17am

Start Orb->Run (or in the search field)->gpedit.msc Drill down to Administrative Templates - Windows Components -Bitlocker Drive Encryption. in the right hand pane of the window click on "Configure TPM Platform Validation Profile" This has all the PCR settings.
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2007 10:23am

I tried disabling all PCR settings except 11 and I still get the recovery screen after a reboot :( Daniel N wrote: Start Orb->Run (or in the search field)->gpedit.msc Drill down to Administrative Templates - Windows Components -Bitlocker Drive Encryption. in the right hand pane of the window click on "Configure TPM Platform Validation Profile" This has all the PCR settings.
March 15th, 2007 11:41am

When I tested it the setting didn't take effect unless I turned off bitlocker and decrypted the drive then turned it back on with the new setting applied. I forgot to mention in the last post too, open an administrative commmand prompt. (right click on CMD and click Run As Administrator) and type "gpupdate /force" this reloads the GPO. (it usually take a little while for them to refresh by default.) An earlier post in this thread states that you just need to apply the new PCR settings and reboot, but from my own testing you really do need to disable, decrypt, enable and encrypt with a new key. The only way I found to speed things up without having to wait for the drive to fully encrypt each time was to skip the test, and right away click on the pause encryption option in the ecryption dialog box. I would then perform my reboot test. I have to do it all again though. A reboot test and a hibernate test. It seems hibernating the workstaion also changes startup information on the computer that bitlocker doesn't like.
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2007 11:50am

I've had the same problem on a Vaio SZ2XP - get encryption key request at every boot. Don't suppose anyone has found a permanent solution to this problem?
April 16th, 2007 6:22pm

Please make sure the VAIO is configured as such: 1. TPM must be enabled in BIOS 2. External Drive Boot must be enabled in BIOS. 3. Change the Boot order in BIOS: 1. Internal Optical Drive 2. Floppy Disk Drive 3. Internal Hard Disk Drive 4. USB Flash Then the order of the remaining drives does not matter.
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2007 3:55am

I tried this on my SZ2XP but it didn't appear to work. The laptop still requests encryption key at every boot. Sony have told me they won't support Bitlocker - so have almost given up on this one unless someone has found a way to get it working?
June 9th, 2007 2:35pm

First disable Bitlocker (do not decrypt!!!) 2. take ownership of the TMP chip 3. reboot 4. Initialize TPM chip enter pswd on TMP chip 5. Enable Bitlocker drive is still encrypted and your tmp chip is loaded. and won't request keys on boot. regards. Patrick Veldboer
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2007 8:58am

I am still having troubles getting this to work, but thanks for the advice. I'll post an update if I figure this out. wng
July 20th, 2007 2:57am

Hi, DO you have any updates on this? I too have the same problem.
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2007 2:17pm

Hi Wordsun, Have you found a fix? I am having the same problem. Sailor22
December 29th, 2007 3:54pm

I asked Sony again if they had any plans to update their drivers/BIOS to accommodate BitLocker properlyforthe SZ2XP and they said "no plans at present".
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2008 6:45pm

have you chekc in the bios to make sure the TMP is turned on ?
February 10th, 2010 7:02pm

What has worked for me is: 1. Boot up 2. Go to Control Panel then BitLocker Drive Encryption 3. Click Suspend Protection 4. Click Enable Protection Rebooted and was all good.
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2010 4:39pm

Amazing... this worked for me too!Did try to reset the tpm password with the "bitlocker file" password, but all the time it kept asking for the key at boot.After suspend and resume protection, I restarted and it was gone!!Thnx Esvabas!
March 5th, 2010 1:33pm

Hi Esvabas / Softgrid_applicatorWhich model of Sony Vaio are you using? Just tried this approach but still getting encryption key request at every boot...Mine is the SZ2XP.
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2010 5:27am

Well I finally managed to get Bitlocker working properly on my Vaio VGN-SZ2XP by flashing the BIOS with one designed for a later (bitlocker compatible) SZ model. I'd just upgraded to Windows 7 Ultimate and Bitlocker was still requesting key at every boot..My inspiration was these threads which mention using a later SZ model BIOS on earlier SZ models.http://forum.notebookreview.com/showthread.php?t=118601http://forum.notebookreview.com/showthread.php?t=189228In my case I used BIOS version R0112N0 designed for the SZ440. Downloaded from herehttp://esupport.sony.com/US/perl/swu-download.pl?mdl=VGNSZ440&upd_id=2717&os_id=29Sony state this BIOS supports Bitlocker. The installer complained when I tried to run it that it's not for my notebook model. I got around that by extracting with Universal Extractorhttp://legroom.net/software/uniextract and ran the executable located in the TEMPEXEFOLDER folder. An anxious minute or so passed, the BIOS was flashed, the SZ2XP rebooted. I enabled bitlocker, encrypted the drive, rebooted - and NO MORE key request at boot time!I did this a few days ago and system has been fine since - of course using a BIOS not designed specifically for my model is a risk, but so far so good. And I have Bitlocker fully functioning. Very pleased.
March 12th, 2010 11:39pm

Same worked well here on an IBM Lenovo Laptop. Thanks bunches! Small sidenote: step 3 reads "Resume Protection" and not enable protection. Guess most can figure that out themselves though :) I have created a step by step tutorial including screenshots of how to accomplish this at: http://www.zomers.eu/knowledge/misc/Pages/Solve-having-to-enter-your-BitLocker-key-every-time-at-Windows-boot.aspx
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2011 9:50am

What has worked for me is: 1. Boot up 2. Go to Control Panel then BitLocker Drive Encryption 3. Click Suspend Protection 4. Click Enable Protection Rebooted and was all good. This worked for me. thanks IBM X60 Windows 7 Ultimate SP1
March 29th, 2012 8:17am

What has worked for me is: 1. Boot up 2. Go to Control Panel then BitLocker Drive Encryption 3. Click Suspend Protection 4. Click Enable Protection Rebooted and was all good. This worked for me. thanks IBM X60 Windows 7 Ultimate SP1
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2012 8:17am

I have a user who was experiencing the same issue on a Windows 7 Enterprise SP1 Lenovo X201. Followed the procedure and rebooted several times just to make sure! :) Its all good now. Thanks a bunch for everyones help on these forums.
June 21st, 2012 8:37am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics