Windows BitLocker Drive Encryption InformationWhen setting up BitLocker, it gets us to create a text file with that password in it. We put that file onto a network share.
The system boot information has changed since BitLocker was enabled.
You must supply a BitLocker recovery password to start this system...
This screen is happening every time we boot the system.
Since we are testing things, the machine is not setup on our domain yet.
What we can tell from searching is that we need to make some settings changes to the local machine's Group Policy, or at the domain Group Policy level before enabling BitLocker on any machine attached to the SBS domain.
For a standalone system if BitLocker has already been enabled and the error is showing itself, disable BitLocker, decrypt the system drive, and reset the TPM.
Then do the following:
- Administrative Templates
- Windows Components
- BitLocker Drive Encryption
- Disable by unchecking all PCR settings BUT 11
- Start-->CMD [Enter] (in search)
- GPUpdate /force
Reboot the system, reinitialize the TPM and run the BitLocker Drive Encryption tool to create another key and encrypt the drive.
GPEdit.msc Vista TPM PCR Settings Edited
You can test that the settings have taken by rebooting the system after pausing the encryption process at 1%. Note that a UAC prompt will happen after clicking the Pause button on the BitLocker encryption process window.
In our test on the stand alone system, it worked. We were no longer prompted for the BitLocker key when rebooting. We unplugged the system - did not remove the battery - and let it sit a while to make sure. Again, the system came backup without a BitLocker password prompt.
For an SBS domain attached system where the SBS server has been RipCurled (previous blog post), one would make the settings change to the Windows Vista Group Policy Object from a Vista box logged in as the domain admin.
Once logged into the Vista workstation and GPMC.msc is run, this is what you will see:
Note all of the extra Vista related policy settings that are accessible when managing the SBS Vista Group Policy Object from a Windows Vista machine.
SBS Vista Group Policy Object
Information on the workaround was found on the TechNet Forums: BitLocker requests encryption key at every reboot.
The BitLocker Team Blog - which hasn't been updated for a long time ... hint ... hint ...
By the way, a very critical consideration in all this is: What will happen to the BitLocker setup when a BIOS update is done? We will definitely be watching out for the next JOE update to test that one!
And secondly, the TPM on both the DQ965GF series and the DQ35JOE are both 1.2 compliant ... meaning that they will work with BitLocker with no issues.
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.