|08 Apr 2014||#1|
Bitlocker Install with TPM - Several issues. All help appreciated.
I ventured into the Bitlocker world today for a desktop I recently built, and I'm
beginning to regret that decision. It seems to be fret with issues. I have read some
of the tutorials here, but they seem not to apply to my particular situation. Let me
explain my scenario and I'll then ask my questions.
1) Hardware: Intel COREi5 Desktop with 8gig of Ram, SATA II hard drives,
1 SATA III hard drive, USB2.0 & USB 3.0 ports Dual UEFI & traditional BIOS.
2) TPM ver. 1.2 TPM Installed (Infineon modules to control operation)
3) OS Windows 7 64 bit with Serv. Pack 1 and latest updates installed.
The TPM was properly initialized and "owned." The BIOS reflects that it is now enabled and active.
I entered the Bitlocker encryption panel and turned it on for the OS volume (drive C. It encrypted
just fine and rebooted.
I then went about the business of setting up keys and having it placed on a USB 2.0 flash drive that
is also connected so that the system will boot and use the TPMandStatupKey. I used the manage-bde
utility. This utility failed because the "Group Policy" options had not yet been set for Bitlocker.
So I went back and set them up (i.e. disabled/unchecked the "Allow Bitlocker without a compatible TPM,"
I enabled "Require Additional authentication at startup," and "Require startup Key with TPM"). All
other options were "Do not allow."
I then re-used "manage-bde" command. I attempted to use the "-TPMandPINandStartupKey" option and save
the result to my USB flash drive. But I kept getting errors that I "couldn't reference two file systems."
I then settled upon the "TPMandStartupKey" option and to save the results to the USB flash drive. The command
indicated "success" but I never saw the resultant file on my USB flash drive. It was either "hidden" or
it never made it there.
I then rebooted, and tested the reboot by taking out the USB flash drive. It correctly indicated that there
was no Startup key file found. I then inserted the USB flash drive and pressed "Esc" as indicated to reboot.
The system rebooted but indicated that there was a "difference" between the file discovered and the original
time Bitlocker was initialized. It then required the recovery key. I entered this key and the system booted
1) Recovery Key - Nothing other than the use of the recovery key at boot time seems to permit the system
to boot. I had thought it would be a bit more seemless in that if I had the Startup Key on the flash
drive, the system would boot on it's own. Not the case. I don't want to have to enter the recovery
key all the time, now.
2) USB Drive - How can I verify that the Startup key file successfully made it to the USB flash drive? I don't
see it on there. Is it hidden or did it just not get put there? Where would it be, otherwise?
3) Documentation - Can anyone point me to the best documentation available on the net in re: Bitlocker and
some greater detail in how things like the "manage-bde" commands work? The help "-?" commands don't seem
to help a lot in re: interpreting the errors I get or how to implement the commands correctly.
All productive advice is greatly appreciated. Thanks much.
|My System Specs|
|09 Apr 2014||#2|
Update - I believe I found a much better reference for the "manage-bde" commands (straight from Microsoft's tech websites" )that explained them better than my original resource. I deleted my old TPAandStatrupKey entry, and after resuming bitlocker encryption and resetting Group policies accordingly, I found the correct manage-bde command for "-tpsk" setting. Correct command as follows:
manage-bde -protectors -add -tpsk <OSDrive> -tsk <USBDrive>
where <OSDrive> is the operating system drive (usually C: ) and <USBDrive> is the flash drive on which to save the startup key file for rebooting purposes. The command did ask for the PIN, which I gave once, and then once again for verification. The command indicated success, and that the file was stored on <USBDrive>, although it still appears to be hidden. I then rebooted normally.
Lo and behold, upon rebooting, the Bitlocker screen came up and asked *only* for the PIN, which I entered. To my amazement, it was accepted and the system booted right up!
So, I'll let it sit for a bit, try a couple more reboots, and then move on to encrypting the other internal drives (with auto "unlock" of course ), and then maybe some removable USB drives.
|My System Specs|
|Similar help and support threads for2: Bitlocker Install with TPM - Several issues. All help appreciated.|
|BitLocker Drive Encryption - BitLocker To Go - Turn On or Off||Tutorials|
|BIOS flash error, BITLOCKER on? No bitlocker installed, Win 7 Pro||General Discussion|
|BitLocker To Go Reader issues||System Security|
|Network Issues on new Win7 PC...Help appreciated.||Network & Sharing|
|Bitlocker Issues - Gimme back my space!||System Security|
© Designer Media Ltd
All times are GMT -5. The time now is 08:43 PM.