RE: [mssms] RE: Recovery Key required after SecureBoot

[nick aquino]

So we did update two different models that we’re having issues with.  BIOS 
updated to latest and greatest, yet we still experience the issue.

Here’s a question:
Documentation states that we must delete and recreate the bitlocker protectors 
after the conversion…  On the systems that work, all we’re doing is this:


  1.  Suspend Bitlocker
  2.  Restart into WinPE
  3.  MBR2GPT conversion
  4.  BIOS config utility to enable UEFI (We tried taking out Secure Boot 
section but didn’t fix it.)
  5.  Enabling RE Agent:  cmd.exe /c "REAgentC /Enable"
  6.  Resuming bitlocker: cmd.exe /c "manage-bde -protectors -enable C:"
  7.  Restart Computer
  8.  This is where bitlocker recovery key is required.

Now, I would have to test again, but I’m 90% sure we also tried this for our 
step 5 and 6:


  1.  cmd.exe /c "manage-bde -protectors -delete c:"
  2.  cmd.exe /c "REAgentC /Enable"
  3.  cmd.exe /c "manage-bde -protectors -add c: -tpm"
  4.  cmd.exe /c "manage-bde -protectors -enable C:"

With the above 4 steps, we had no issues but it didn’t seem to fix the 
bitlocker recovery issue.  Are we not properly “removing the protectors and 
recreating them”?

-Nick-

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Marable, Mike
Sent: Monday, July 31, 2017 7:41 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Recovery Key required after SecureBoot

Good idea, Paul.
It seems HP is notorious for TPM issues that are fixed with BIOs updates.  We 
had some 600 G2s that were giving us fits with BitLocker recovery until HP 
released an updated BIOs revision.

Mike


From: <listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> 
on behalf of "pwinstan...@gmail.com<mailto:pwinstan...@gmail.com>" 
<pwinstan...@gmail.com<mailto:pwinstan...@gmail.com>>
Reply-To: "mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>" 
<mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>>
Date: Monday, July 31, 2017 at 6:28 PM
To: "mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>" 
<mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>>
Subject: RE: [mssms] RE: Recovery Key required after SecureBoot

Try updating your bios to latest version

On 29 Jul 2017 00:36, "nick aquino" 
<nick.aqu...@hotmail.com<mailto:nick.aqu...@hotmail.com>> wrote:
No, not dense at all. Makes sense... but it is at win10 at this stage of the 
TS. I'll have to check the Tpm 2.0 settings on monday. There may be something 
there. These are the older models that are not happy. The 850g3 and 800g2 are 
working as expected.
Thanks Mike.

-Nick-


Sent from my Verizon 4G LTE smartphone


-------- Original message --------
From: "Marable, Mike" <mmara...@med.umich.edu<mailto:mmara...@med.umich.edu>>
Date: 7/28/17 16:23 (GMT-05:00)
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Recovery Key required after SecureBoot
Nick,

Are these being imaged as Win7?

SecureBoot is completely incompatible with Windows 7.  That alone could be 
tripping the recovery key request.

I’ve been finding it doesn’t take much to trip the key request.  I had a Dell 
XPS that was in Legacy BIOs mode and TPM 2.0, but Dell listed that combo as 
being unsupported and it was tripping the recovery key at every reboot.  Once I 
switched to UEFI + TPM 2.0 it ran smooth.

It's been a long day (I’ve been here since 5am) so forgive me if I’m just being 
dense and missing the obvious.

Thanks
Mike



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of nick aquino
Sent: Friday, July 28, 2017 2:05 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] Recovery Key required after SecureBoot

Hi all,
Building out a Windows 10 1703 in-place upgrade task sequence for HP Models 
running Windows 7.  I’ve run into a few issues with these, one of them being 
that when I turn on SecureBoot, bitlocker recovery key is required after I 
re-enable bitlocker.  Here are my steps:


  1.  Disable bitlocker
  2.  Upgrade Operating system

     *   This reboots on its own

  1.  Added another restart to fix an issue with the TS Progress bar

     *   (conditional steps to disable bitlocker if, for some reason, it’s 
enabled again)

  1.  Restart into WinPE
  2.  Convert from MBR to GPT
  3.  Configure BIOS with UEFI and Secure Boot
  4.  Restart into Default OS
  5.  Enable bitlocker
  6.  Restart again into Main OS

After Step 9 restarts, we’re presented with the bitlocker recovery screen.  We 
enter the recovery key, boot up, disable bitlocker, restart, enable bitlocker 
and it’s fine.

If I perform all of the same steps but without enabling SecureBoot, we do not 
have an issue.  As soon as I enable secure boot (even if bitlocker is disabled 
before I restart into the firmware), once bitlocker enables, the recovery key 
is required upon the next restart.

Caveat: This only happens on the models that have legacy boot and secure boot 
separated into two settings in the BIOS.  The models that have it all in one 
step (i.e. “Legacy boot disabled and SecureBoot enabled”), those do not have 
the issue at all.

I hope this write-up makes sense and someone has a workaround.

-Nick-



**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues




**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues