Win7 – BitLocker Recovery key prompt after attaching a USB-C/Thunderbolt device

I am in the process of certifying several new Dell laptops (5480, 5580 and 7280) and have run into a BitLocker encryption issue with Windows 7.  The laptops image successfully using our current ConfigMgr task sequence with BitLocker.  However, if you plug in a USB-C/Thunderbolt NIC or docking station it will prompt for a BitLocker recovery key at every reboot.

This Dell Knowledge Base article describes the exact problem I am experiencing (this issue is not Dell specific).

‘If you are using USB Type-C only equipped systems running Microsoft Windows 7 in UEFI mode with Legacy Option ROMs enabled, you may experience a BitLocker recovery key prompt after attaching a Dell USB Type-C Dock (WD15) or other USB Type-C devices that have video or network boot capabilities. This is an expected result of the device detection process.

The system BIOS loads the Read-Only Memory (ROM) for the USB Type-C dock’s devices, (network and/or video), which invalidates the Platform Configuration Register 2 (PCR2) profile due to the change to the BIOS’s ROM footprint. (A hardware change had been detected) This is required by standards set by the TCG (Trusted Computing Group). If the system’s BIOS ROM is changed, PCR2 must also be updated to reflect this change.’

The article explains how to disable the PCR 2 TPM platform validation through local policy.  Since we are deploying machines using a task sequence I need to configure these settings during the build process.  This is actually pretty simple…you basically apply these settings directly in the registry before you encrypt the machine.  Here are some steps on how to do this.

  1. Create a package with this .reg file (you’ll need to unzip) at the root of the package directory.
    Note: This will configure TPM platform validation to only disable PCR 2, leaving PCR 0, 4, 8, 9, 10 and 11 enabled (default).  For more information on configuring TPM platform validation click here.

  2. In your task sequence, add a Run Command Line step before you enable BitLocker.
    Note: You will no longer be able to pre-provision BitLocker since that will enable encryption before these changes are applied.  If you want to use pre-provisioning you will need to make these registry changes directly in you WIM.  You can do this by adding these steps to your Build and Capture process and create a new image or simply mount your current WIM and load the registry to manually making the changes.
  3. Reference the package you created in step 1 and add the following command to apply the registry settings.
    reg import .\TPMPlatformValidation.reg
  4. [Optional] Click Options and set the appropriate conditions on where you want this step to apply.  This could be all laptops, desktops if they are being encrypted or you can be specific and only apply to models with USB-C/Thunderbolt ports.
  5. Test your new task sequence and verify the machine is working properly when attaching USB-C/Thunderbolt devices.  You can also test by manually changing the boot sequence directly in the BIOS which would normally trigger a BitLocker recovery scenario.
    Note: If you need to validate the registry settings have applied successfully you can find those here: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation.

Hope this has helped!

 

 

 

 

  • August 31, 2017 - 4:39 pm

    Chuck Colver - Hmmmm, we followed the same guidelines as dell and imported a local policy setting during the task sequence waaaay before BitLocker (which is our last step). We verified that the registry values match in that key (“2″=dword:00000000) and still we get the error when plugging in the “docking station”. Anything else we should be looking for in this?ReplyCancel

    • September 1, 2017 - 10:43 am

      Todd - Are you pre-provisioning BitLocker in your task sequence? The registry value needs to be set prior to this…which means to continue to pre-provision you must set the value directly in your WIM. If you’re not using pre-provision I would add a pause in your task sequence just before enabling BitLocker and confirm the registry setting is set properly. You could also try setting the registry value with a REG ADD command instead of importing local policy.ReplyCancel

Your email is never published or shared. Required fields are marked *

*

*