Symptoms
You are prompted for your BitLocker recovery key at Windows startup on a Surface Book 2 13" device that has an NVIDIA GeForce GTX 1050 video card.
Cause
This issue may occurs after the August 2018 UEFI update is installed. If the recovery key was entered, the device is now in Legacy Bound (PCR 0,2,4,11) configuration. Therefore, you must apply additional steps to enable installing an update that corrects this issue.
Note The August 2018 UEFI update is no longer available. However, any Surface Book 2 13" device that has an NVIDIA GeForce GTX 1050 and on which the update was installed could experience this issue and may still be in this configuration.
Resolution
To resolve this issue, use one of the following methods.
Automated fix
Download and run the Surface BitLocker Protector Check tool. The tool guides you through the installation of the repair update.
Note: The Surface BitLocker Protector Check tool is only available in English, but it will run on all devices.
Here's how to use the Surface BitLocker Protector Check tool:
-
In the search box on the taskbar, type Surface BitLocker Protector Check, and then select it from the list to open the tool.
-
Depending on the message you see, take one of the actions below.
Message |
Action |
"This device’s BitLocker settings do not require any changes." |
Your BitLocker settings are fine, so you don't need to do anything else. Press Enter to exit the tool. |
"Please dock your Surface Book 2 into the base." |
On a Surface Book 2 device, attach the display to the keyboard. If it's already attached, detach it, clean its connectors, and then reattach it. Press Enter to exit the tool, and then follow steps 2 and 3 above again. |
"BitLocker has been temporarily suspended. Reboot is now required. This tool will automatically resume from rebooting." |
The tool needs to change your BitLocker settings. Press Enter to restart your device and apply the changes. The tool will automatically resume after your device restarts. |
"Your BitLocker recovery key is: <your BitLocker recovery key number> Please record this in a safe location. Reboot is now required. This tool will automatically resume from rebooting." |
Print or write down your BitLocker recovery key in case you need it. Then press Enter to restart your device and apply the changes. The tool will automatically resume after your device restarts. |
"The BitLocker settings on this device have been successfully fixed." |
The tool fixed your BitLocker settings, so you don't need to do anything else. Press Enter to exit the tool. |
Manual fix (advanced)
Important The following steps are provided for advanced users only. If you are not comfortable using Windows PowerShell but you require help to download or use the repair tool, please contact Surface Support.
Check the BitLocker settings
-
Start a PowerShell command prompt with administrative privileges.
-
Run the following command:Manage-bde -protectors -get C:
-
Check the PCR Validation Profile setting.
-
If the PCR Validation Profile is set to 7, 11, the device is configured correctly, and no further action is necessary.
-
If this value is set to something other than 7, 11, go to the next steps.
-
Correct the BitLocker settings
-
At the PowerShell command prompt, run the following command:Suspend-bitlocker -mountpoint C: -rebootcount 0
-
Open Device Manager.
-
Locate and expand the Firmware branch.
-
If any firmware shows a warning symbol, select each firmware entry, and then select Uninstall device. Do this for any firmware node that shows the warning symbol.
-
Restart the Surface Book 2 device.
-
Start a PowerShell command prompt that has administrative privileges.
-
Run the following command:Manage-bde -protectors -get C:
-
Locate and copy the TPM ID to the clipboard. Make sure that you include the braces ( { } ).
-
Type the following commands, and press Enter after each:Manage-bde -protectors -delete C: -id "{TPM id}" Manage-bde -protectors -add C: -TPM Note In the first command, replace <TPM id> with the ID number that you copied in step 8.
-
Restart the Surface Book 2 device.
Follow the “Check the BitLocker settings” steps to determine whether your settings are now correct.
If you had previously removed a driver in Device Manager, open Device Manager again to verify that there are no warning symbols displayed for the Firmware device type. To do this, double-click the Surface UEFI item, and then open the Driver tab. Verify that the installed driver is 389.2318.768.0 or a later version.
If you can't configure the BitLocker setting to 7, 11, or if you can't eliminate the warning symbols in Device Manager, contact Surface Support.