UEFI base Machines Prompt for BitLocker Recovery Key

Applies to: Windows 7 EnterpriseWindows 7 UltimateWindows 7 Service Pack 1

Symptoms


On Windows 7 and Windows Server 2008 R2 platforms that support UEFI, you may see a prompt for BitLocker Recovery Key if you use UEFI BIOS with Compatibility Support Module (CSM) enabled.

This occurs when there is a USB device inserted while the machine boots.

Cause


The TCG specification requires the hardware platform to measure specific configuration data in PCR 5. This configuration data is sensitive to the presence of an inserted USB device.

Workaround


In order to avoid this recovery event you may want to consider:
  1. Not inserting USB devices during boot.
  2. Removing PCR 5 for the TPM Platform Validation Profile.
Perform the following steps to remove PCR 5 from TPM Platform Validation Profile: 
  1. In an enterprise environment, contact your System Administrator.
  2. In an unmanaged environment, you can perform the following steps:
    1. Open Group Policy Management console and select the BitLocker Policies.
    2. Under BitLocker Drive Encryption, Operating System Drives, Enable the “Configure TPM Platform Validation Profile” policy.
    3. In the list of PCR’s, uncheck PCR 5.
    4. Apply this policy to the client machines by doing gpupdate /force.
    5. BitLocker protection needs to be suspended and resumed so that updated TPM Platform Validation Profile is applied by BitLocker.
      1. Open Control Panel, BitLocker Drive Encryption and click Suspend Protection.
      2. Open Control Panel, BitLocker Drive Encryption and click Resume Protection.
      3. If you want to suspend and resume BitLocker protection from command line, follow this:
        • To Suspend Protection:
          >manage-bde -protectors -disable c:
        • To Resume Protection:
          >manage-bde -protectors -enable c: