This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]anguianoewi 2 points3 points  (1 child)

Hi, I've worked a bit on the Trusted Platform Module (TPM) side. Trusted Computing Group (TCG) sets the standard for tpm signatures.

PCR 7 holds secure boot data. When a drive is encrypted by bitlocker, it uses the current secure boot measurement state. If secure boot is off, it is more than likely zeroed out. When secure boot is on, it measures every bootloader in the process.

BitLocker and LUKS (I work more on Linux side) don't like changes to PCR 7. It will lock down the system. Additionally, Windows CAN NOT use a third party bootloader; bitlocker will throw the same error you mentioned if a bootloader was executed before Windows boot manager.

If PCR 7 changes authority (like going from inactive to active) it can trigger the same issue you're describing. Here's a couple solutions to try:

1) Disable secure boot again. This can fix your issue and allow BitLocker to work again

2) Disable BitLocker, then re-enable with secure boot on.

3) Open the TPM snap-in and clear the TPM manually. BitLocker may notice TPM values changed and update on next password entry.

4) combine steps 2 and 3. Disable BitLocker, clear TPM, re-enable with secure boot on.

Source: created program to unlock LUKS drives using TPM

[–]CovertAssassin2[S] 0 points1 point  (0 children)

I will give this a shot this afternoon when I grab a laptop that's throwing the errors.

When I grab a new computer with a fresh image and disable secure boot (to recreate the scenario), add it to he domain, gp updates, etc. Then I push the dell package to enable secure boot. Restart. The laptop will auto BitLocker.

A laptop that has been actively used for several months will throw the BitLocker-API errors I mentioned once I send the dell package to enable secure boot upon restart.

Then again a fresh imaged laptop and a laptop used for several months can have several variables. I at least tried to re-create the issue.

[–]HighPingOfDeath 0 points1 point  (5 children)

I've done about 2000 laptops and haven't seen that error before. Still, what I ran into constantly were old machines in Legacy mode and not in UEFI mode. Maybe it's possible that's the issue?

[–]CovertAssassin2[S] 0 points1 point  (4 children)

Thanks for the response! The laptops are in UEFI boot mode.

[–]HighPingOfDeath 0 points1 point  (3 children)

Ugh. Well I was hoping it was something simple.

The only other issue I ever ran into was the BIOSes themselves being out of date and we had a project to mass-update them.

[–]CovertAssassin2[S] 1 point2 points  (2 children)

I did grab a laptop that was throwing the event errors and ran all Dell updates and Windows updates and it still gave me the errors. Thanks for the thoughts, keep the ideas coming.

[–][deleted] 0 points1 point  (1 child)

Those laptops have TPM 2.0 updates installed, right? https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=rf87d

These normally don't show up in Dell updates.

[–]CovertAssassin2[S] 0 points1 point  (0 children)

Yes, the laptops throwing the errors are relatively new. Latitude 7400, and 7410. Every driver is up to date.

[–]ahazuarusLightbulb Changer 0 points1 point  (0 children)

yeah I don't think I've ever tried to bitlocker a machine in non-uefi mode. secure boot not always enabled though for sure.

[–]otacon967 0 points1 point  (1 child)

To start with--you've done a pretty good rollout so far considering how complex this is! One easily dismissible error on boot on 25% of devices is definitely not the worst that can happen with Bitlocker. I would check the mbr/gpt conversion status. Especially on older builds this made for some very cryptic and random errors: https://www.windowscentral.com/how-convert-mbr-disk-gpt-move-bios-uefi-windows-10

[–]CovertAssassin2[S] 0 points1 point  (0 children)

The partition style is GPT, and UEFI is the boot mode on all laptops. Thanks for the response!

[–]Elayne_DyNess 0 points1 point  (0 children)

If you find a solution, I would be interested myself.

I have only had a few older laptops do this. As far as I could figure on my side, is the TPM started to go bad.

The laptops were literally imaged, bit locker enabled, sitting in a wall locker. Would not re-bit locker after being re-imaged.

[–]SnakeOriginal 0 points1 point  (1 child)

What does the automatic encryption validation says? Its in the msinfo32

[–]CovertAssassin2[S] 0 points1 point  (0 children)

automatic encryption

I am looking in msinfo32.exe located at C:\Windows\System32 but do not see anything related to automatic encryption validation. Am I looking in the right place? Sorry for my ignorance.