Access Keys:
Skip to content (Access Key - 0)

Q: Why does BitLocker keep triggering?

Answer

BitLocker occasionally triggers a recovery scenario when you're not expecting it. This is often due to changes in the hardware configuration. Microsoft uses a set of criteria made up of PCRs (Platform Configuration Registers). The state of the hardware configuration at the time of encryption is used to create a baseline for BitLocker. If the hardware changes at anytime in the future, Windows will assume malicious hardware tampering such as a key logger. While this is a possible scenario, the far more likely scenario is simply innocuous hardware changes.

For instance, enabling BitLocker while using the built-in video card and then later switching to a discrete video card will cause BIOS to disable the built-in video hardware. Windows will detect the missing video card as a hardware change and trigger BitLocker. Leaving a bootable USB drive plugged into a USB port and then rebooting can change the available boot devices and trigger BitLocker recovery. Also, using a Thunderbolt dock with a computer can be detected as adding hardware and can trigger BitLocker recovery.

In order eliminate these BitLocker recovery triggers, we've made some changes to Microsoft's default TPM validation profile (set of PCRs). We've removed PCRs 0 and 2 that deal with these types of hardware changes. This change is implemented via GPO at the domain level and is also implemented via EPM Lite Touch so it'll apply to both domain and non-domain machines.

All computers in the domain that have enabled BitLocker after August 21st, 2016 are encrypted using the modified TPM validation profile. Those enabled prior to this date likely have the default Microsoft TPM validation profile. In order to fix older machines to use the updated TPM validation profile you'll need to suspend BitLocker (you don't have to decrypt), run a gpudpate command, and then resume BitLocker. We have created a task sequence in SCCM to automatically do these steps for you.

Deploying the TPM Validation Profile Fix Task Sequence

You'll find the task sequence to fix the TPM validation profile located at Software Library > Operating Systems > Task Sequences > MIT Task Sequences > EPM - Update TPM Validation Profile. Deploy the task sequence to your target collection. You'll want to create a collection based on the query called "MDOP MBAM Installed" located under Queries > MIT Queries. The task sequence takes about 10 seconds to run and is transparent to end users.

Filepath navigation to task sequence

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

September 22, 2016

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
sccm sccm Delete
endpoint endpoint Delete
management management Delete
bitlocker bitlocker Delete
tpm tpm Delete
c-sccm c-sccm Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki