Lately when ever I refresh a laptop's OS via SCCM and have it re-enable Bitlocker it keeps prompting for the recovery key upon a cold boot (shutdown and powered on, not restarted). I made a test Bitlocker Group Policy and disabled all PCR values except for PCR11, but still no luck. I also suspended and resumed bitlocker with the following commands: manage-bde c: -protectors -disable manage-bde c: -protectors -enable What am I missing or where can I look to find out why my devices are continuously being prompted to enter the recovery key?

Hi, BitLocker recovery key is used to confirm that the changes to the system boot information are authorized. You may try the following: 1. Restore the system boot information. 2. Suspend and resume BitLocker. Follow the instructions in this post: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/594eafa4-bea8-4508-9b77-cd25a87de6f5Tracy Cai TechNet Community Support

Hi, BitLocker recovery key is used to confirm that the changes to the system boot information are authorized. You may try the following: 1. Restore the system boot information. 2. Suspend and resume BitLocker. Follow the instructions in this post: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/594eafa4-bea8-4508-9b77-cd25a87de6f5 Tracy Cai TechNet Community Support What do you mean by Restore the system boot information?

Hi, I mean the method one which was provided by Leo in the link which I posted previously. For your convenience, I quote the steps here: Method 1: Please go to BIOS and try excluding all but your primary HDD out of the boot priority order. Method 2: Furthermore, you can try to follow these steps: 1 Open the BitLocker manager tool by either typing BitLocker into the start menu seach box and selecting the first result or in the control panel, System & Security > BitLocker. 2 Click "Suspend Protection" on your system disk. 3 Select yes to the prompt that appears. 4 Click "Resume Protection". Now BitLocker will remember your updated system configuration. If you have any questions, please feel free to let me know.Tracy Cai TechNet Community Support

Hi, I mean the method one which was provided by Leo in the link which I posted previously. For your convenience, I quote the steps here: Method 1: Please go to BIOS and try excluding all but your primary HDD out of the boot priority order. Method 2: Furthermore, you can try to follow these steps: 1 Open the BitLocker manager tool by either typing BitLocker into the start menu seach box and selecting the first result or in the control panel, System & Security > BitLocker. 2 Click "Suspend Protection" on your system disk. 3 Select yes to the prompt that appears. 4 Click "Resume Protection". Now BitLocker will remember your updated system configuration. If you have any questions, please feel free to let me know. Tracy Cai TechNet Community Support I've suspended/resumed bitlocker and adjusted the BIOS boot order, but this has no effect on the recovery key prompts from cold boots.

Hi, Also, try to update your BIOS and make sure the BitLocker is suspended before you update the BIOS. Tracy Cai TechNet Community Support Just tried that, still doing it.

How can I properly clear the TPM and Bitlocker information completely? We store everything in AD so would the brute force approach be deleting the AD computer object?

Hi, I also have the same problem. Plain Vanilla Windows 7 with all Windows Updates and noting else Encrypting the hard disk with BitLocker using TPM chip. After disk is encrypted I restart the PC and get prompted for recovery key. Nothing has been changed on the computer and Suspending/Resuming doesnt help. Using the recovery key works... Have tried to disable all PCR except the PCR11, checked registry on client that it picked it up... Suspending/Resuming BitLocker... Restarting and still getting the prompt. Please, what is needed to fix to have the system staring without requesting recovery key.

Hi, Also, try to update your BIOS and make sure the BitLocker is suspended before you update the BIOS.Tracy Cai TechNet Community Support

check if the following is helpful: Clear the TPM http://technet.microsoft.com/en-us/library/cc753694.aspxThanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Looks like its needed to turn off BitLocker (Decrypt the drive) and Turn it on again for the PCR change to work. Suspend and Resume does'nt do the trick. At least not for my test computer. More or less like the PCR setting is tattoed with the encryption. Does'nt mather if I change the GPO - and the PCR setting to only have the PCR 11 = 1 and the rest set to 0 (Verifying the clients registry that its updated) If I do a Suspend/Resume it still requires a recovery key at boot... But... If I Decrypt the drive and then Encrypt it again. It will NOT request the Recover Key at boot. Interesting that you need to decrypt then encrypt for the PCR changes to take effect, however I can't go and do that to our 2000 clients if I find the PCR setting that is causing this. Could a Windows update have caused this?

Looks like its needed to turn off BitLocker (Decrypt the drive) and Turn it on again for the PCR change to work. Suspend and Resume does'nt do the trick. At least not for my test computer. More or less like the PCR setting is tattoed with the encryption. Does'nt mather if I change the GPO - and the PCR setting to only have the PCR 11 = 1 and the rest set to 0 (Verifying the clients registry that its updated) If I do a Suspend/Resume it still requires a recovery key at boot... But... If I Decrypt the drive and then Encrypt it again. It will NOT request the Recover Key at boot. Interesting that you need to decrypt then encrypt for the PCR changes to take effect, however I can't go and do that to our 2000 clients if I find the PCR setting that is causing this. Could a Windows update have caused this? Actually its not Windows update related because I get this even after I reimage computers before anyone logs in.

Looks like its needed to turn off BitLocker (Decrypt the drive) and Turn it on again for the PCR change to work. Suspend and Resume does'nt do the trick. At least not for my test computer. More or less like the PCR setting is tattoed with the encryption. Does'nt mather if I change the GPO - and the PCR setting to only have the PCR 11 = 1 and the rest set to 0 (Verifying the clients registry that its updated) If I do a Suspend/Resume it still requires a recovery key at boot... But... If I Decrypt the drive and then Encrypt it again. It will NOT request the Recover Key at boot.

Enten, could you try it on one computer... Disable all PCR values except for PCR11, verify the registry on that computer that its applied. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation] Test to decrypt the disk and then encrypt it again. Does it work to cold boot it without recovery key?

Enten, could you try it on one computer... Disable all PCR values except for PCR11, verify the registry on that computer that its applied. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation] Test to decrypt the disk and then encrypt it again. Does it work to cold boot it without recovery key? I'm having a tough time encrypting after decrypting even after grabbing the TPM password out of the AD object. I am starting to suspect PCR 10 causing issues because one of our techs noticed having a notebook plugged into the network can trigger a recovery key prompt.

This could be an issue when having a notebook plugged into the network during a reboot. So far we've tested unplugging our devices before reboots without being prompted for the recovery key, but it helps to disable PXE in the BIOS. We can still hit F12 if we need to image a device.