BitLocker recovery key prompt on the Surface Book 2 13" after the August 2018 UEFI update

Applies to: Surface Book 2

Symptoms


You are prompted for your BitLocker recovery key at Windows startup on a Surface Book 2 13" device that has an NVIDIA GeForce GTX 1050 video card.

Cause


This issue may occurs after the August 2018 UEFI update is installed. If the recovery key was entered, the device is now in Legacy Bound (PCR 0,2,4,11) configuration. Therefore, you must apply additional steps to enable installing an update that corrects this issue.

Note The August 2018 UEFI update is no longer available. However, any Surface Book 2 13" device that has an NVIDIA GeForce GTX 1050 and on which the update was installed could experience this issue and may still be in this configuration.

Resolution


To resolve this issue, use one of the following methods.

Automated fix

Download and run the Surface BitLocker Protector Check tool. The tool guides you through the installation of the repair update. To access the tool, go to the following Surface website:

http://aka.ms/surfacecheck

Manual fix (advanced)

Important The following steps are provided for advanced users only. If you are not comfortable using Windows PowerShell but you require help to download or use the repair tool, please contact Surface Support.

Check the BitLocker settings

  1. Start a PowerShell command prompt with administrative privileges.
  2. Run the following command:

    Manage-bde -protectors -get C:
     
  3. Check the PCR Validation Profile setting. 
    • If the PCR Validation Profile is set to 7, 11, the device is configured correctly and no further action is necessary.
    • If this value is set to something other than 7, 11, go to the next steps.
       

Correct the BitLocker settings

  1. At the PowerShell command prompt, run the following command:

    Suspend-bitlocker -mountpoint C: -rebootcount 0
     
  2. Open Device Manager.
  3. Locate and expand the Firmware branch.
  4. If any firmware shows a warning symbol, select each firmware entry, and then select Uninstall device. Do this for any firmware node that shows the warning symbol.
  5. Restart the Surface Book 2 device.
  6. Start a PowerShell command prompt that has administrative privileges.
  7. Run the following command:

    Manage-bde -protectors -get C:
  8. Locate and copy the TPM ID to the clipboard. Make sure that you include the braces ( { } ).
  9. Type the following commands, and press Enter after each:

    Manage-bde -protectors -delete C: -id "{TPM id}"
    Manage-bde -protectors -add C: -TPM


    Note In the first command, replace <TPM id> with the ID number that you copied in step 8.
  10. Restart the Surface Book 2 device.

Follow the “Check the BitLocker settings” steps to determine whether your settings are now correct.

If you had previously removed a driver in Device Manager, open Device Manager again to verify that there are no warning symbols displayed for the Firmware device type. To do this, double-click the Surface UEFI item, and then open the Driver tab. Verify that the installed driver is 389.2318.768.0 or a later version.

If you can't configure the BitLocker setting to 7, 11, or if you can't eliminate the warning symbols in Device Manager, contact Surface Support.