Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 7, 2017 10:03 AM
Hello.
I am using BitLocker with an ASUS Trusted Platform Module TPM-M R2.0
I recently had to reset my secure boot keys to the mainboard defaults and then i get this message when booting:
"You need to enter your recovery key because Secure Boot policy has unexpectedly changed."
I have no recovery keys for the root volume C:
What up with this? I thought that BitLocker uses the keys from the TPM module.
Any workarounds? It's really stupid for the hard drive to be encrypted with keys on a TPM yet i need a recovery key that i don't have.
Thus losing access to my data.
All replies (5)
Wednesday, November 8, 2017 7:07 AM ✅Answered
Hi Nicolae,
This is by design and more secure for everyone's Windows. Once BitLocker detect your boot environment changes, it will ask the recovery information to double confirm your Windows security.
Here is the Microsoft official documents, it said that:
Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
BitLocker Countermeasures
/en-us/windows/device-security/bitlocker/bitlocker-countermeasures
Therby you have no recovery key, there is no other method to unlock it.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, November 8, 2017 7:22 AM ✅Answered
It's like this: the TPM holds the strong key. Your PIN is only an access code to the TPM. The TPM will only release the strong key under certain defined conditions. If one of these conditions changes - in this case, secure boot - it will not release the key, so bitlocker will ask for another key instead: the recovery key. If these conditions were met again (secure boot keys were returned to what they were before), the TPM would again release the strong key.
I have to say I am not deep in secure boot, so I am not sure how you can return it to its previous state.
Tuesday, November 7, 2017 10:21 AM
Important data needs to be backed up, no matter what. No matter if encrypted or not.
--
Before changing secure boot settings, you need to suspend bitlocker. If you don't, you'll need to authorize the change by using the recovery key. The RK is created when you enable bitlocker and it is mandatory to save it to an external drive or print it. If you cannot find it, please make sure to look into your OneDrive cloud: http://onedrive.live.com/RecoveryKey
--
There is no other workaround since you cannot restore the old secure boot settings (or can you? do you know how they were before, what keys were saved?)
Tuesday, November 7, 2017 7:18 PM
I store all important files on a network drive, i think i did not lose anything sensitive, i did not sync the recovery keys to onedrive, i searched. I did try to save the secure boot keys before resetting them to default but the UEFI interface is very user unfriendly and it turns out i thought i saved, but nothing got saved, i needed an extra click.
I am asking because i don't understand how secure boot and bitlocker are related, bitlocker uses the keys from the TPM, and secure boot stores the keys in the mainboard. Am i wrong ? Or do they both use the TPM?
Tuesday, November 7, 2017 7:23 PM
I understand that turning off BitLocker is recommended or a requirements when changing Secure Boot settings.
But i don't understand why, if the TPM is untouched, the keys are there, why does BitLocker need the recovery key to decrypt the disk whom keys are present on the TPM and nothing changed in the BitLocker <-> TPM trust chain?
So what if i changed Secure Boot settings?
Am i missing something, does it make sense to everybody else?