Tag Archives: Bitlocker

Fixing BitLocker Recovery Mode on HP Workstations

I recently had an issue at work where we saw a not-insignificant number of our Z4G5 workstations regularly going into recovery mode after the weekly reboot. As far as we were aware at the time, they were configured no differently to any of our other computers, laptop desktop or mini-workstation, so this was confusing. What follows is what worked for us and depending on your environment, you might have other restrictions or security settings.

Following some digging, we discovered that these machines had a different PCR Validation Profile. Most of our machines are set to 7,11 whereas these were set 0,2,4,11. You can check the validation profile of a machine with the following command:

Manage-bde -protectors -get C:

Where C: is the drive letter.

SOLUTION:

We also noticed that Pre-Boot DMA Protection was turned off in the BIOS on these workstations. We turned this setting back on, cleared the TPM and restarted the machine. This reset the protectors back to 7,11 and the machines now continue to boot normally.

I appreciate there is an element missing here – why was it entering recovery mode in the first place? In many instances, 0,2,4,11 is a perfectly acceptable default. Truth is at the moment, this is still unclear and HP weren’t able to provide a good explanation here either but a clue might lie in the last paragraph in the link below (re ‘Secure Boot validation’).

FURTHER INFO:

Indices can be configured via registry/GPO policy. Briefly, the default PCRs used by BitLocker in the BIOS are 0, 2, 4, 8, 9, 10, 11:

  • PCR0: Dynamic Root of Trust, BIOS Code, Platform Extensions
  • PCR2: ROM Code
  • PCR4: MBR Code
  • PCR8: NTFS Boot Sector
  • PCR9: NTFS Boot Block
  • PCR10: NTFS Boot Manager
  • PCR11: BitLocker’s Volume Master Key (VMK) and its critical components

For a more detailed explanation of this and what the different indices relate to, see Configure TPM platform validation profile for native UEFI firmware configurations.

Relaxing Intune Bitlocker policy for removeable disks

A quick post about an issue I ran into today whilst trying to create an OSDCloud USB stick (BTW anyone interesting in cloud imaging, I thoroughly recommend checking out David Segura’s site : OSDCloud.com).

Anyway I created a new image on my Intune-managed laptop and as you might typically expect, we have bitlocker policies for drive encryption. However by default, this will also ask the user to either encrypt the drive to allow writing to it or not do so but open it in a read-only mode. Given that I needed a bootable USB drive the encryption option wasn’t going to work for me. Digging through the policy settings, I eventually came to a setting called Deny write access to removable drives not protected by BitLocker which needed to be set to disabled. After several minutes/syncs and a few restarts later (yes, I’m impatient) The previously greyed out ‘paste’ option when I selected the drive appeared and for all intents and purposes I figured all would now be well. Unfortunately not.

At this point I was scratching my head a bit until I noticed a file on my desktop called WriteAccessUSB.reg. I guess I must have run into a similar issue in the past and this did the trick. Open regedit and browse to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

Add/change the following setting:

"RDVDenyWriteAccess"=dword:00000000

Finally just remove and replace your USB drive (no need to restart) and it should be readable.