I posted this initially on 'Microsoft Answers' but was advised to post it here instead. I am looking for guidance about how to deal with possible unauthorized modifications which have been caught by BitLocker. There is considerable discussion on different forums about systemic problems, e.g. BitLocker always refusing to boot due to BIOS issues, but virtually nothing I can find about what to do when something truly unauthorized may have happened, but which is not obvious. The reason for my asking is because I have had two occurrences over several months of use of my new laptop where BitLocker has refused to boot saying that the system boot information has changed. I have done nothing of which I am aware to cause this, so assume that there may truly have been unauthorized attempts by malware to modify my system. I have performed full scans using Norton Internet Security, and also the separate Norton Power Eraser which can detect rootkits etc, but everything checks out ok. It is easy to boot with a BitLocker key on a USB stick, and then use the BitLocker Suspend and Resume functions to get rid of the startup interruption, but this will not eliminate any unidentified unauthorized modification – I will simply be living with it, and it may be a zero-day hack now permanently on my PC. Can anyone advise: (1) How do I 'restore the system boot information' as instructed by the BitLocker warning screen? There are many approaches to system recovery available, and I don't want to restore more than absolutely necessary. Exactly what is required, and how? (2) How do I determine exactly what has been changed, so as to be able to try to understand what happened? Is there a BitLocker log which explains the issue, or is it possible to do comparisons between before and after images to identify the exact change which triggered BitLocker's action? (3) How can I get back to a state without any potentially unauthorized modifications, well after they happen? Do I simply need to re-install everything from scratch, repeatedly performing full back-ups until some day BitLocker again complains? FWIW, I am running Windows 7 Ultimate on a Lenovo ThinkPad T520. Thanks in advance

It may not necesarily be malware. There are a lot of valid actions where bitlocker needs to be suspended or reset. Did you or any software possibly do any of these? A number of scenarios can trigger a recovery process, for example: Moving the BitLocker-protected drive into a new computer. Installing a new motherboard with a new TPM. Turning off, disabling, or clearing the TPM. Updating the BIOS. Updating option ROM. Upgrading critical early boot components that cause system integrity validation to fail. Forgetting the PIN when PIN authentication has been enabled. Losing the USB flash drive containing the startup key when startup key authentication has been enabled. http://technet.microsoft.com/en-us/library/cc732774.aspx In any case i will check on the guidance, but i dont belive it will cover most of the scenarios listed above as it is outside the control of Windows except maybe windows boot info change. Sumesh P - Microsoft Online Community Support

It may not necesarily be malware. There are a lot of valid actions where bitlocker needs to be suspended or reset. Did you or any software possibly do any of these? A number of scenarios can trigger a recovery process, for example: Moving the BitLocker-protected drive into a new computer. Installing a new motherboard with a new TPM. Turning off, disabling, or clearing the TPM. Updating the BIOS. Updating option ROM. Upgrading critical early boot components that cause system integrity validation to fail. Forgetting the PIN when PIN authentication has been enabled. Losing the USB flash drive containing the startup key when startup key authentication has been enabled. http://technet.microsoft.com/en-us/library/cc732774.aspx In any case i will check on the guidance, but i dont belive it will cover most of the scenarios listed above as it is outside the control of Windows except maybe windows boot info change. Sumesh P - Microsoft Online Community Support