I have a Lenovo T410s laptop with Windows 7 Enterprise installed. Since it was issued to me by my company its initial configurations were performed by others. To protect sensitive data in the event of physical loss my company enabled BitLocker and the on-board Trusted Platform Module (TPM). Not sure what a TPM does? From Microsoft's website:
"A Trusted Platform Module (TPM) is a microchip that is built into a computer. It is used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft."
"BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen."
Couple of things to keep in mind when a TPM is used with BitLocker. If you start changing BIOS settings like boot order, e.g., boot to CD first or add a hard drive via the option bay and move it up within the boot order, you could be faced with a scary black screen like the following:
Now what you say? Well, if you have printed out your BitLocker recovery key prior to seeing the BitLocker Recovery Key screen, then you can just type it in. If this is an Enterprise managed deployment, then your Recovery Key may be escrowed in Active Directory as well. I try and make a habit of never calling technical support so I escrowed my key using the method below.
If you want to print your BitLocker Recovery Key do the following:
Right click on the logical Drive Letter where the O/S is stored, usually the C:\ drive (should have a padlock with key icon next to it if BitLocker is enabled for the drive. From the resulting menu select "Manage BitLocker", then select "Save or Print Recovery Key Again". I printed mine and kept it with me, but separate from my laptop at all times, i.e., don't keep the printed version in your laptop bag.
There's another issue with BitLocker which might surface depending on the type of changes you performed to your system. If you just changed the boot order that should be an easy fix, just reinstate the original boot order after using the BitLocker Recovery key to boot Windows. If you performed another type of change, you might continue to see the BitLocker Recovery Key screen on every subsequent reboot. The following is what happened to me.
Symantec EndPoint Protection is installed on my laptop and it does a scan every Friday. Although usually uneventful, this time it found something suspect and recommended I install the Symantec Endpoint Protection Support Tool. I downloaded and installed the tool and because of my extreme paranoia, I selected the check box next to the Symantec Power Eraser, including the check box next to "Add bootlog rootkit analysis", just to be sure. It took sometime to complete and when I rebooted I was met with the BitLocker Recovery Key screen containing the following text:
"The boot configuration Data (BCD) settings for the following boot application have changed since Bitlocker was enabled
boot appplication: \windows\system32\winload.exe
change settings: 0x26000090
You must supply a bitlocker recovery key to start this system.
Confirm that the changes to the BCD settings are trusted.
If the changes are trusted then suspend and resume bitlocker. This will reset bitlocker to use the new BCD settings.
Otherwise restore the original BCD settings"
Well, that's not good. So I entered my BitLocker Recovery Key and Windows booted fine, but on every subsequent reboot it kept asking for the Recovery Key, not good.
After reading the message above more closely I began looking for a way to suspend and resume BitLocker. Most of the methods I found relied upon the BitLocker management app within the Control Panel, unfortunately my company's great technology support group used Group Policy Objects (GPOs) to remove it. So I searched for an alternative method. I found several articles which confused "Pausing" BitLocker with "Suspending" BitLocker. Pause is related to pausing an ongoing BitLocker encryption process, like when it's first enabled. What I needed to do was "Suspend" and then "Resume" Bitlocker.
Here's what worked for me:
Search for cmd.exe, right click on it and select "Run as Administrator". Next, run the following commands:
Manage-bde.exe –protectors –disable c:
Manage-bde.exe –protectors –enable c:
After the commands completed, I rebooted and no more BitLocker Recovery Key screen on subsequent reboots.