0

The company I work for has computers with TPM chips and Windows 10 Enterprise, and uses BitLocker for full-disk encryption. They have BitLocker configured to require a password at boot (which I believe means the TPM is not involved in the decryption, and the disk should only be encrypted by the password itself; is this wrong?).

A coworker has his computer off the network for a while and they removed his computer's access. To get access back, IT had to do "stuff" to it.

In the process of this, they had to

  • Make BIOS accept USB boot drive

  • Do something, maybe including updates to stuff (they weren't able to explain what the thing they ran did, only that it "did stuff")

  • Boot the computer

  • Noticed BitLocker password wasn't working

  • Went back into BIOS and re-initialized the TPM (because "sometimes that makes it accept the recovery key")

But the BitLocker password still didn't work... and the extraordinarily-competent IT people (the same ones who re-initialized the TPM) also lost the recovery key from their database.

What is actually causing it to reject the correct password?

Is the TPM relevant to this at all? (does password-protection require both the password to be correct AND the TPM to have the correct PCR state, or is it independent of the TPM?)

How can he unlock the drive with the password? (if the above question is that it still requires the TPM, then this is probably a worthless question because it's impossible)

Improve this question

2 Answers 2

Reset to default
1

Is the TPM relevant to this at all?

Yes; BitLocker absolutely was using the TPM to store the key. When the TPM configuration was wiped this key was permanently lost. The only way to access the drive currently is with the recovery key.

What is actually causing it to reject the correct password?

The password would only be accepted after the applicable recovery key was provided.

How can he unlock the drive with the password?

This is not possible in the current condition the system is in.

The recovery key is required, in order for the password to be used, in order to enable BitLocker again. BitLocker was automatically suspended when the TPM configuration was wiped. The data is still encrypted but the recovery key is required in order to access the data.

Improve this answer
4
  • Ah, so BitLocker puts the password through the TPM too? How does it do this (and how can I have multiple drives with different passwords which can be unlocked in any order I choose)?
    – iAdjunct
    Commented Apr 2, 2019 at 22:23
  • Does this mean that the actual underlying AES key is stored both encrypted by hash(Password,TPM-PCRs) and hash(Password,RecoveryKey), so in either case the password is required?
    – iAdjunct
    Commented Apr 2, 2019 at 22:25
  • Unfortunately, the company does not allow photography and the computer is pre-boot, so no screen-shots. Can the drive be unlocked with only the recovery key, or does it need both the password and the key? He tells me it is now only asking for the recovery key; it asked for the password before, but after the TPM-reset, it started asking for the recovery key. Did I mention our IT department is stellar?
    – iAdjunct
    Commented Apr 2, 2019 at 23:13
  • Thank you for reminding me that I hadn't hit the check mark yet. Also, thank you for your answer - it has been very helpful! (naturally, he's not happy about the answer, but at least he can stop trying to find a way to fix it)
    – iAdjunct
    Commented Apr 3, 2019 at 0:16
0

What did they do to make the BIOS boot Windows from an USB port? I ran into something very similar here. I wanted to boot an bitlocker encrypted Windows 11 installation via USB after enclosing the SSD in a NVMe-to-USB adapter. I've read that setting the value of BootDriverFlag, at HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\, to decimal 28 would make USB drivers available at boot time. Damn, It now boots but even passing the correct 48 digits key to bitlocker it returns that the key is wrong.

Improve this answer
1
  • 1
    If you have a new question, please ask it by clicking the Ask Question button. Include a link to this question if it helps provide context. - From Review
    – Destroy666
    Commented Oct 29, 2023 at 12:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .