Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. UEFI base Machines Prompt for BitLocker Recovery Key

UEFI base Machines Prompt for BitLocker Recovery Key

View products that this article applies to.

Symptoms

On Windows 7 and Windows Server 2008 R2 platforms that support UEFI, you may see a prompt for BitLocker Recovery Key if you use UEFI BIOS with Compatibility Support Module (CSM) enabled.

This occurs when there is a USB device inserted while the machine boots.

↑ Back to the top

Cause

The TCG specification requires the hardware platform to measure specific configuration data in PCR 5. This configuration data is sensitive to the presence of an inserted USB device.

↑ Back to the top

Workaround

In order to avoid this recovery event you may want to consider:
  1. Not inserting USB devices during boot.
  2. Removing PCR 5 for the TPM Platform Validation Profile.
Perform the following steps to remove PCR 5 from TPM Platform Validation Profile: 
  1. In an enterprise environment, contact your System Administrator.
  2. In an unmanaged environment, you can perform the following steps:
    1. Open Group Policy Management console and select the BitLocker Policies.
    2. Under BitLocker Drive Encryption, Operating System Drives, Enable the “Configure TPM Platform Validation Profile” policy.
    3. In the list of PCR’s, uncheck PCR 5.
    4. Apply this policy to the client machines by doing gpupdate /force.
    5. BitLocker protection needs to be suspended and resumed so that updated TPM Platform Validation Profile is applied by BitLocker.
      1. Open Control Panel, BitLocker Drive Encryption and click Suspend Protection.
      2. Open Control Panel, BitLocker Drive Encryption and click Resume Protection.
      3. If you want to suspend and resume BitLocker protection from command line, follow this:
        • To Suspend Protection:
          >manage-bde -protectors -disable c:
        • To Resume Protection:
          >manage-bde -protectors -enable c:

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2670514
Revision : 1
Created on : 1/7/2017
Published on : 1/26/2012
Exists online : False
Views : 299