Windows 10: Surface Book prompts for Bitlocker key on startup

My Surface Book 1 running Win 10 Pro with all updates installed has started prompting for the Bit Locker key when it is powered on. If I power off and on again it boots without prompting for the Bit Locker key. What causes this? Is there a fix? It is very annoying. Thanks.

:)

 

Prompt for BitLocker key

Hi Timothy,

Thank you for writing to Microsoft community forums.

I understand that it can be difficult when your own computer is inaccessible due to some changes that could have happened. However, let's try a few troubleshooting steps and see if we can access the drive.

• Are you aware of any changes that happened on the computer prior to this issue?
  
• Did you setup a BitLocker on your device before?
  

If you’ve not setup the BitLocker and it’s still prompting for the key,
you may try to locate the BitLocker key on your Microsoft account, which will help you access the drive. Refer
Find my BitLocker recovery key to
know how to find the BitLocker recovery key.

If no recovery key is found, you may enable the secure boot setting from BIOS and check if you can access the drive.

• Power off the device and then power it on.
  
• Look for a message on the boot screen just before or after the manufacturer logo appears. You may need to press the
  ‘F1’,’F2’, or
  ‘Delete’button, whatever key is indicated on the boot screen to enter BIOS Settings.
  
• Within BIOS, choose the tab ‘BOOT’.
  

Note: Depending on the BIOS manufacturer this page could be
BOOT, ADVANCED, STARTUP etc.

• Look for a setting called
  ‘UEFI Secure Boot’ and toggle the Secure Boot setting to
  ‘Enabled’.
  

Note: Each BIOS could have a different name for
UEFI Secure Boot. These are the keywords to look for:
‘UEFI’, ‘Secure Boot’,‘Legacy Boot’.

• Restart the machine now to see if you can access the drive.
  

Note:

Modifying BIOS/ complementary metal oxide semiconductor (CMOS) settings incorrectly can cause serious problems that may prevent your computer from booting properly. Microsoft cannot guarantee that any problems resulting
from the configuring of BIOS/CMOS settings can be solved. Modifications of the settings are at your own risk.

Regards,

 

Updates for Surface Book and Surface Pro 4 March 7th 2017

Source: https://blogs.technet.microsoft.com/...-7-march-2017/

 

BitLocker key

Hi. HC_75

My name is Mila

Independent Advisor

I hope to help.

This behavior can occur in the following situation:

• BitLocker is enabled and configured to use the platform configuration register (PCR) values other than the PCR 7 and 11 default values of the PCR, for example, when:

• Start of Secure is disabled.

• PCR values have been defined explicitly, as a group policy.

• Install a firmware update that updates the firmware of the TPM device or changes the firmware signature of the system. For example, install the dTPM surface update (IFX).

Note: You can check the PCR values that are in use on a device by running the following command from a command prompt with elevated privileges:

admin-bde.exe-protectors-get <OSDriveLetter>:

Warning:

Encryption Unit BitLocker helps protect the confidential information of your organization by encrypting the data. This solution to temporarily disable BitLocker can put the data at risk.

Method 1: Suspend BitLocker during UEFI or TPM firmware updates

You can avoid this situation by installing system firmware updates or TPM module firmware by temporarily suspending BitLocker before applying updates to TPM or UEFI firmware using Suspend BitLocker.

Note: UEFI and TPM firmware updates may require several reboots during installation.

To suspend BitLocker for the installation of UEFI or TPM firmware updates:

1. Open an administrative PowerShell session.

2. Type the following cmdlet and press ENTER: BitLocker suspend MountPoint "C:" - RebootCount 0where C: is the drive assigned to the disk

3. Install the firmware updates and surface device driver.

4. After the correct installation of the firmware updates, resume BitLocker using the Resume-BitLocker cmdlet as follows: Resume-BitLocker -MountPoint "C:"

Method 2: Enable secure startup and restore the default PCR values.

It is recommended that you restore the default and recommended settings for safe boot and PCR values after BitLocker is suspended to avoid entering BitLocker recovery when applying future updates to UEFI or TPM firmware.

To enable secure boot on a surface device with BitLocker enabled:

1. Suspend BitLocker using the Suspend BitLocker cmdlet, as described in method 1.

2. Boot the UEFI surface device using one of the methods defined in surface UEFI using Surface Laptop, new Surface Pro, Studio surface, Surface Book and Surface Pro 4.

3. Select the security section.

4. Click on change the settings in "Secure Start".

5. Select Microsoft Only and click OK.

6. Select Saliry, then restart to restart the device.

7. Resume BitLocker using the Resume-BitLocker cmdlet, as described in method 1.

To change the PCR values used to validate the BitLocker drive encryption:

1. Disable the group policies that configure PCR or remove the device from the groups where these policies apply. For more information, see "Deployment options" in the BitLocker Group Policy Reference.

2. Suspend BitLocker using the Suspend BitLocker cmdlet, as described in method 1.

3. Resume BitLocker using the Resume-BitLocker cmdlet, as described in method 1.

Method 3: Remove protectors from the start unit.

If you have installed a TPM or UEFI update and the device is able to boot, even when you enter the correct BitLocker recovery key, you can restore the boot capacity using the BitLocker recovery key and a surface recovery image to remove BitLocker protectors
from the boot drive.

To remove the protectors from the boot drive using the BitLocker recovery key:

1. Obtain the BitLocker recovery key at go.microsoft.com/fwlink/p/?LinkId=237614 or if BitLocker is managed by other means such as Microsoft BitLocker administration and monitoring (MBAM), contact the administrator.

2. From another computer, download the surface recovery image to download a recovery image of the surface and create a USB recovery drive.

3. Boot from the USB surface recovery image unit.

4. When prompted, select the language of the operating system.

5. Select the keyboard layout.

6. Select solve.

7. Select Advanced Options.

8. Select the command prompt.

9. Run the following commands: manage-bde-unlock - recoverypassword <password> C: manage-bde-protectors-disable C: where C: is the drive assigned to the disk and <password> is the BitLocker recovery key that you got in step 1.

Note: For more information about how to use this command, see the Microsoft Docs Manage-bde article: unlock.

10. Restart the computer.

11. When prompted, enter the BitLocker recovery key that you obtained in step 1.

Note: After disabling the BitLocker protectors on the boot drive, the device will no longer be protected by BitLocker drive encryption. You can re-enable BitLocker by selecting Start, type Manage BitLocker, and press ENTER to start the BitLocker drive encryption
Control applet subprogram and following the steps to encrypt the drive.

Method 4: Retrieve the data and restart the device with Bare Metal Recovery (BMR) surface.

To recover data from the surface device if you cannot start the computer in Windows:

1. Obtain the BitLocker recovery key at
https://go.microsoft.com/fwlink/p/?LinkId=237614 or if BitLocker is managed by other means such as Microsoft BitLocker administration and monitoring (MBAM), contact the administrator.

2. From another computer, download the surface recovery image to download a recovery image of the surface and create a USB recovery drive.

3. Boot from the USB surface recovery image unit.

4. When prompted, select the language of the operating system.

5. Select the keyboard layout.

6. Select solve.

7. Select Advanced Options.

8. Select the command prompt.

9. Run the following command: manage-bde-unlock -recoverypassword <password> C: where C: is the drive assigned to the disk and <password> is the BitLocker recovery key that you obtained in step 1

10. After the unit is unlocked, use the copy or xcopy commands to copy the user data to another unit.

Note: For more information about these commands, see the Windows Command Line Reference.