Thursday, 1 November 2007

Windows Vista - BitLocker Error - "system boot information has changed"

Now that we have BitLocker enabled on some of our systems, we have run into a real annoying quirck with it:

Windows BitLocker Drive Encryption Information

The system boot information has changed since BitLocker was enabled.

You must supply a BitLocker recovery password to start this system...
When setting up BitLocker, it gets us to create a text file with that password in it. We put that file onto a network share.

This screen is happening every time we boot the system.

Since we are testing things, the machine is not setup on our domain yet.

What we can tell from searching is that we need to make some settings changes to the local machine's Group Policy, or at the domain Group Policy level before enabling BitLocker on any machine attached to the SBS domain.

For a standalone system if BitLocker has already been enabled and the error is showing itself, disable BitLocker, decrypt the system drive, and reset the TPM.

Then do the following:
  1. gpedit.msc
  2. Administrative Templates
  3. Windows Components
  4. BitLocker Drive Encryption
  5. Disable by unchecking all PCR settings BUT 11
  6. Start-->CMD [Enter] (in search)
  7. GPUpdate /force
    A screenshot of the GPEdit.msc changes:

    GPEdit.msc Vista TPM PCR Settings Edited

    Reboot the system, reinitialize the TPM and run the BitLocker Drive Encryption tool to create another key and encrypt the drive.

    You can test that the settings have taken by rebooting the system after pausing the encryption process at 1%. Note that a UAC prompt will happen after clicking the Pause button on the BitLocker encryption process window.

    In our test on the stand alone system, it worked. We were no longer prompted for the BitLocker key when rebooting. We unplugged the system - did not remove the battery - and let it sit a while to make sure. Again, the system came backup without a BitLocker password prompt.

    For an SBS domain attached system where the SBS server has been RipCurled (previous blog post), one would make the settings change to the Windows Vista Group Policy Object from a Vista box logged in as the domain admin.

    Once logged into the Vista workstation and GPMC.msc is run, this is what you will see:

    SBS Vista Group Policy Object

    Note all of the extra Vista related policy settings that are accessible when managing the SBS Vista Group Policy Object from a Windows Vista machine.

    Information on the workaround was found on the TechNet Forums: BitLocker requests encryption key at every reboot.

    The BitLocker Team Blog - which hasn't been updated for a long time ... hint ... hint ...

    By the way, a very critical consideration in all this is: What will happen to the BitLocker setup when a BIOS update is done? We will definitely be watching out for the next JOE update to test that one!

    And secondly, the TPM on both the DQ965GF series and the DQ35JOE are both 1.2 compliant ... meaning that they will work with BitLocker with no issues.

    Philip Elder
    MPECS Inc.
    Microsoft Small Business Specialists

    *All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

    1 comment:

    Anonymous said...

    suspend bitlocker, do the bios update, unsuspend bitlocker

    that's the idea anyway