BitLocker won't accept correct disk password after... something

The company I work for has computers with TPM chips and Windows 10 Enterprise, and uses BitLocker for full-disk encryption. They have BitLocker configured to require a password at boot (which I believe means the TPM is not involved in the decryption, and the disk should only be encrypted by the password itself; is this wrong?).

A coworker has his computer off the network for a while and they removed his computer's access. To get access back, IT had to do "stuff" to it.

In the process of this, they had to

  • Make BIOS accept USB boot drive

  • Do something, maybe including updates to stuff (they weren't able to explain what the thing they ran did, only that it "did stuff")

  • Boot the computer

  • Noticed BitLocker password wasn't working

  • Went back into BIOS and re-initialized the TPM (because "sometimes that makes it accept the recovery key")

But the BitLocker password still didn't work... and the extraordinarily-competent IT people (the same ones who re-initialized the TPM) also lost the recovery key from their database.

What is actually causing it to reject the correct password?

Is the TPM relevant to this at all? (does password-protection require both the password to be correct AND the TPM to have the correct PCR state, or is it independent of the TPM?)

How can he unlock the drive with the password? (if the above question is that it still requires the TPM, then this is probably a worthless question because it's impossible)

1 Answer

Is the TPM relevant to this at all?

Yes; BitLocker absolutely was using the TPM to store the key. When the TPM configuration was wiped this key was permanently lost. The only way to access the drive currently is with the recovery key.

What is actually causing it to reject the correct password?

The password would only be accepted after the applicable recovery key was provided.

How can he unlock the drive with the password?

This is not possible in the current condition the system is in.

The recovery key is required, in order for the password to be used, in order to enable BitLocker again. BitLocker was automatically suspended when the TPM configuration was wiped. The data is still encrypted but the recovery key is required in order to access the data.

4

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like