Any BitLocker experts? Enterprise query

Memphis · 11 Jun 2013 at 15:00

Asking here first but unsure if this should really be in Servers and Enterprise Solutions.

Where I work we have recently introduced BitLocker as our encryption method. Everything is working grand right up until someone connects any type of USB removable storage...

We know this is related to the TPM validation PCR 4 and 5 which we have disabled and any new machine is quite happy. What we can't quite sort is applying this retrospectively to any already encrypted machines.

The settings are pushed via Group Policy which are applying to the machine, however I'm presuming because BitLocker was applied with the old settings in place these are 'saved' for that particular encryption run.

I'm hoping we don't have to decrypt and re-encrypt...

peterwalkley · 11 Jun 2013 at 15:07

Is this just an issue when powering up ? If it's like my work laptop, you need to disconnect USB memory devices when switching on - and then plug in once it's running. Bitlocker seems to assume that you're trying to go into recovery mode when it detects an external USB stick.

Memphis · 11 Jun 2013 at 15:12

Yeah that's the one. Disabling just PCR 4 and 5 stops the problem (http://support.microsoft.com/kb/2670514).

Unfortunately despite the settings applying via Group Policy, it doesn't seem to affect the already encrypted machines. They still prompt for recovery key on start up.

Just unplugging devices isn't ideal for us.

Any BitLocker experts? Enterprise query

Memphis

Memphis

peterwalkley

peterwalkley

Memphis

Memphis