Windows 10: I have a BitLocker API warning related to Secure Boot

For the past few months I have been having occasional problems with booting up my computer. Sometimes I will open my laptop for the first time that day, and be greeted with a blue "BitLocker Recovery" screen asking for my recovery key. A few days ago when I opened my laptop, I was unable to sign in because of a message saying "This sign in option is disabled because of failed sign-in attempts or repeated shutdowns", despite the fact that I had gotten the password correct and hadn't shutdown my computer. After waiting 2 hours I was able to get back in, only for the same error to appear the next

:)

 

Using BitLocker when secure boot is disabled

Hi Bilal,



Thank you for writing to Microsoft Community Forums.



I would suggest you to refer article on
Disabling Secure Boot.



However, let me help you in pointing in the right direction where you will get support for issues related to BitLocker and Secure Boot.



I would suggest you to post your query on
TechNet forums, where we have expertise and support professionals who are well equipped with the knowledge to assist you with your query.



For additional reference, you may also check
BitLocker Group Policy settings



Regards,

Prakhar Khare

Microsoft Community – Moderator

 

Bitlocker Secure Boot unavailable.

I am in the process of migrating a number of Dell machines from Windows 7 to Windows 10. All of the machines are getting a full re-install and we are enabling UEFI Boot and Secure Boot at the same time. However we have noticed that in the BitLocker-API
event log we are getting the following two entries reporting that Secure Boot is unavailable. Do we know how to resolve this as I would like to take advantage of the Secure Boot features as we are moving over to Windows 10.

Log Name: Microsoft-Windows-BitLocker/BitLocker Management

Source: Microsoft-Windows-BitLocker-API

Date: 21/02/2018 16:45:34

Event ID: 813

Task Category: None

Level: Warning

Keywords:

User: DOMAIN\user

Computer: computer.domain.net

Description:

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-BitLocker-API" Guid="{5D674230-CA9F-11DA-A94D-0800200C9A66}" />

<EventID>813</EventID>

<Version>0</Version>

<Level>3</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x4000000000000000</Keywords>

<TimeCreated SystemTime="2018-02-21T16:45:34.458498900Z" />

<EventRecordID>201</EventRecordID>

<Correlation />

<Execution ProcessID="13216" ThreadID="10252" />

<Channel>Microsoft-Windows-BitLocker/BitLocker Management</Channel>

<Computer>computer.domain.net</Computer>

<Security UserID="S-1-1-11-1111111111-1111111111-1111111111-1111" />

</System>

<EventData>

<Data Name="VariableName">SecureBoot</Data>

</EventData>

</Event>

Log Name: Microsoft-Windows-BitLocker/BitLocker Management

Source: Microsoft-Windows-BitLocker-API

Date: 21/02/2018 16:45:34

Event ID: 834

Task Category: None

Level: Information

Keywords:

User: DOMAIN\user

Computer: computer.domain.net

Description:

BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-BitLocker-API" Guid="{5D674230-CA9F-11DA-A94D-0800200C9A66}" />

<EventID>834</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x4000000000000000</Keywords>

<TimeCreated SystemTime="2018-02-21T16:45:34.464896700Z" />

<EventRecordID>202</EventRecordID>

<Correlation />

<Execution ProcessID="13216" ThreadID="10252" />

<Channel>Microsoft-Windows-BitLocker/BitLocker Management</Channel>

<Computer>computer.domian.net</Computer>

<Security UserID="S-1-1-11-1111111111-1111111111-1111111111-1111" />

</System>

</Event>

Moved from Windows / Windows 10 / Security & privacy

 

BitLocker

Hi,



Thank you for writing to Microsoft Community Forums.



I understand that you are facing issues with BitLocker recovery key on your PC, and I certainly appreciate your efforts in trying to resolve the issue.



We will certainly look into this for you.



Let’s try disabling secure boot on the PC. Follow the steps mentioned below and check if that helps.

1. Power the device off and then back on.
   
2. Look for a message on the boot screen just before or after the manufacturer logo appears. You may need to press the F1, F2, or Delete button, whatever key is indicated on the boot screen to enter BIOS Settings.
   
3. Inside BIOS, look for a tab called BOOT and select that page. Depending on the BIOS manufacturer, this page could be BOOT, ADVANCED, STARTUP, etc.
   
4. Look for a setting for UEFI Secure Boot. Each BIOS could have a different name for this. These are the keywords to look for: UEFI, Secure Boot, Legacy Boot.
   
5. Toggle the Secure Boot setting to disabled and attempt to boot the machine.
   

In addition, you can try disabling BitLocker using the manage bde commands and see if that helps. Try booting the PC in WinRE mode and then refer the article Disable-BitLocker



Kindly follow the steps to boot to WinRE mode.

1. Reboot the PC using Power button and once you see the manufacturer logo press the power button again.
   
2. Repeat step 1 at least 2-3 times until you see the System Recovery Options screen
   
3. On the System Recovery Options screen, select Troubleshoot> Advanced options > Command Prompt.
   

If the issue persists, I would suggest you to post your query on Windows on Q&A, where we have support professionals who are well equipped with the knowledge on issues related to Bit-Locker, to assist you with your query.



Regards,

Prakhar Khare

Microsoft Community – Moderator