We've deployed 10 notebooks with Bitlocker enabled. We are saving information in our Win 2008 R2 Active Directory domain. Recently, several of the notebooks have booted into the Bitlocker password mode. I've asked the users if they made changes to the BIOS or ran any system updates. Nothing 'appears' to have changed but something had to. What's the best way to figure out what's made the changes short of digging into the regular System or Application logs? Are there any Bitlocker-specific logs that we can enable to see what's forcing this to appear?Orange County District Attorney

May be policy is changed. Check the policy. Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup Some process can change the policy by configuring Registry values. HKLM\SOFTWARE\Policies\Microsoft\FVE UseTPMPIN HKLM\SOFTWARE\Policies\Microsoft\FVE!UseTPMKeyPIN, HKLM\SOFTWARE\Policies\Microsoft\FVE UseTPM You can enable object auditing and try to find clues. 1. Click Start, enter GPedit.msc in the Start Search box. 2. Open the following branch. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Security 3. Enable the following policies: Audit account logon events Audit object access 4. Open regedit. 5. Right click on the Registry branch you would like to audit, choose Security. Click the Advanced button. 6. Click the Auditing tab. Click Continue. 7. Click Add. Then click Advanced. 8. Click the button Find Now. 9. Wait for the process finishes. Then from the users list add the following users. ANONYMOUS LOGON BATCH CREATOR OWNER Everyone Guests LOCAL SERVICE NETWORK NETWORK SERVICE SERVICE SYSTEM 10. After selecting each user, choose “Delete” and “Delete subfolders and files” as the auditing entries. If you would like to check which account was trying to remove items in the folder, please open Event Viewer, check the Windows Logs\Security Log for detail information. Hope it helps. Arthur Xie TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the great post Arthur. We don't enforce the "Require additional authentication at startup" policy in our envirnonment. We store recovery information in AD, that's about all we enforce. We don't require users to enter PIN numbers or passwords at login. I did notice something about our Bitlocker policy however. I have it enabled for Fixed Data Drives Operating System Drives Removeable Data Drives Now, we've only encrypted the hard drive, C: on our notebooks but I wonder how the Fixed Data Drive and Removeable Data Drive policy affect things?Orange County District Attorney

Do you mean recovery passwords are saved to AD? If so, please let us know if Windows XP clients have to enter password. I just suspect that the password is for authentication, but not for BitLocker. Is the system of the AD Windows Server 2003? How does it work if you change the default NTLM authentication level in Windows 7 clients? 1. Open gpedit.msc from Start Search box. Then locate to the following policy. 2. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level 3. Please change “Send LM & NTLM - use NTLMv2 session security if negotiated”. If the issue still occurs, i suggest you temporary disable firewall and check the result.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We don't have user enter a password at boot time. We enable Bitlocker and then save the passwords to AD, Windows 2008 R2 AD. I was hoping something could get written to the Bitlocker logs to help understand what it's seeing as a change.Orange County District Attorney

Related events are stored in client computers. However they may be not helpful in troubleshooting. There are more information in the following articles. You may check if the processes are exactly followed when you setup Bitlocker. BitLocker Drive Encryption Configuration Guide Backing Up BitLocker and TPM Recovery Information to Active Directory Backing Up BitLocker and TPM Recovery Information to AD DS How does it work if firewalls are disabled?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the links and the info. We disable the firewalls on our domain network by default. (I know, I know). I was hoping something would be logged somewhere when a change was made........Orange County District Attorney

In Event Viewer. Bitlocker related logs are saved in: WindowsLogs>ApplicationsAndServicesLogs>Microsoft>Windows>Bitlocker-DriverPreparationTool The events that are related to whether the recover password is saved into AD successfully are saved in client, you may try to find it in System log or Security log. You may check the logs. Hope it helps.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Are there any logs that one could check out that would show what could have changed, in the system, that would have prompted a user to enter the recovery password?Orange County District Attorney

Hi, No such logs exist.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks, that's what I was looking for.Orange County District Attorney