Update: 
We narrowed it down to TPM 2.0 After downgrading the TPM to 1.2 on one of our X360 G2 Bitlocker worked fine. (https://support.hp.com/gb-en/document/c05381064)

I have a very similar problem with a brand new HP EliteBook 840 G4.

Bitlocker encrypts fine but keeps asking for the recovery password every cold boot and most restarts. Pausing/resuming bitlocker only provides a temporary fix. The Elitbook is saying "secure boot policy has unexpetendly changed" and then askes for the recovery password.

I see there is a solution to the problem above but don't understand how to apply it to this 840. Could you provide more detail to using UEFI with TPM 2.0 ?

i'm new to HP laptops and usually work with Dells.

Hi,
we changed the settings to legacy support enabled for our imaging process.
Apparently this does not work with these new devices so we had to revert our changes in:
Advanced -> Secure Boot Configuration -> Configure Legacy Support and Secure Boot -> "Legacy Support Disabled and Secure Boot Enable"

Additionally we had to enable "UEFI Boot Order" in Advanced -> Boot Menu

and create a new image with GPT partitioning instead of MBR.

But in my resarch I found that many Bitlocker issues are resolved after a BIOS update thus it did not solve ours, at least you should try that if you have not yet.

Additionally I found another post regarding this issue and your laptop:

https://h30434.www3.hp.com/t5/Notebook-Boot-and-Lockup/HP-EliteBook-840-G4-BitLocker-key-each-boot/t...

Hi,

The Elitebook came with "Support disabled and secure boot enabled"

UEFI Boot order is checked but greyed out. (M.2: Windows boot manger as first device, USB: as second device).
Legacy boot order is also checked and greyed out.

I have seen that other post, but this SSD is already using GPT partition style so I just followed the instrutions from Advance > secure boot > and "disable both legacy and secure boot".
neither worked.

First thing I did before starting bitlocker was update the laptop's drivers including bios. All is up to date.

Right now i've taken bitlocker off to see if I can resolve it before putting it back on.

Thanks for your help. 

Hi all,

I've been trying to nut this out for several hours now, and am not sure that I'm any closer to resolving.

In my case it's 2x new HP EliteBook 820 G4s (256GB M.2 SSDs with 😧 HP Recovery partition) that have the issue.

I tried various combinations of turning off BitLocker, clearing TPM under Windows and BIOS, re-enabling BitLocker, factory reset plus all Windows Updates, HP Updates including BIOS, software installs etc before enabling BitLocker.

No joy. Both laptops exhibit the same behaviour, and seem to pick and choose at random when they prompt for the BitLocker Recovery Key whether reboot, cold boot, on battery or power adapter.

Under BIOS -> Advanced -> Boot Options:

~ UEFI Boot Order is checked (But greyed out)

~ Legacy Boot Order is checked (But greyed out)

~ On one of the laptops I unchecked "USB Storage Boot" as this laptop appears to have USB-Type C port, but that made no difference.

Under BIOS -> Advanced -> Secure Boot Configuration:

~ Configure Legacy Support and Secure Boot, "Legacy Support Disable and Secure Boot Enable" is selected.

I have been on the phone to both HP and Microsoft Support but had no luck there either.

It must be something under the hood on these EliteBooks that BitLocker isn't happy with.

HP Support did ask if I could change a setting under Control Panel -> Manage BitLocker that I can't see on either laptop. That setting was "Change how drive is unlocked at startup", but I only have "Suspend Protection", "Back up your recovery key" and "Turn off BitLocker".

However, there is an info box near the top of the BitLocker Drive Encryption window that reads:

"[info icon] For your security, some settings are managed by your system administrator." even though the local users on these laptops are administrators.

In addition, I tried enabling the hidden "administrator" account which apparently has elevated privileges, but no difference.

Finally, I understand that there are ways to get rid of that message via Group Policy changes, but I haven't nutted that one out yet either.

Has anyone out there had any luck with the above?

Many thanks in advance.

Cheers,
Dave

snax,

couple questions for you.

(I have a similar issue, full question posted in separate section), related to the Bitlocker, and the TPM.

somehow my TPM is requiring my recovery key, after even one bad attempt at the PIN.  some forums have indicated to clear out the tpm, but that can screw up bitlocker.

YOU indicated that to clear your TPM you first DISABLED bitlocker, then cleared the TPM.

Could you clarify how you did this?   from what I read, i was to first DECRYPT the bitlocked drive, then clear the TPM, but I' more wiling to chance it if i can just temporarily DISABLE bitlocker, before clearing the TPM.

BUT, my concern is, how does the bitlocker PIN and RECOVERY key respond, AFTER clearing hte TPM;  does it just get re-enabled?

Now, for you, the option to change how bitlocker unlocks, has to be done, i think, from the GPEDIT.MSC command.  see my dropbox link,  https://www.dropbox.com/s/7pe2qs4668m8ifl/Bitlocker-Encrypting-Operating-system-drive-with-password-... , for where you have to navigate to.  (I might have more detail if you need it).

that set of group policy items lets you change some bitlocker administrative items.

see if that helps

thanks

nick

I know your question is aimed at snax. 

Not sure i'd dare try that without a full backup. In my case I depcrypt before clearing the TPM. 

I've since seen a post that the biometrics can affect bitlocker but i've tried disabling that and re-encrypting with bitlocker. Made no difference. 

Something the Elitebook is doing is upsetting bitlocker and evoking the recovery key. It's just what is the mystery. 

Graham,

thanks for reply.

re: backup, definitely, I do image backups, i use paragon hard disk suite, full drive image.

that is why I would not mind tryhing the TEMPORARY disable, if he found that it works.

The MAIN issue I have (see separate thread, posted today, on TPM, Security, and settings) - is that my TPM has had a couple errant PIN attempts, and I can't get it to allow more than one PIN attempt before it requires the bitlocker recovery key.  I want to reset the TPM security, so that it can tolerate more errant attempts before locking down, and i want to also change the amount of time (lessen it) that the machine has to run, befure it (the TPM) resets itself.

thanks

nick