Solved: HP ProBook 640 G3-Brand New- Bitlocker issue: Asks for Recov... - HP Support Community

Sheddie · ‎03-22-2017

HP ProBook 640 G3 bitlocker encrypted Laptop always requesting for 48-digit recovery key ????

(HP ProBook 640 G3)

Issue description: The above laptop on rebooting after operating system deployment using Microsoft SCCM, enter Bitlocker recovery mode all the time by prompting users for 48 digit recovery key instead of “TPM PIN” at the pre-boot level. I have applied series of suggestions from Technet articles and different blogs to no avail. Please see the build process and issue/resolution attempted below.

Steps followed:

Start PC, Press F10 to enter boot menu
In boot menu, from the “Advance Tap”, select “Secure Boot Configuration”
On the “Configure Legacy Support and Secure Boot” option, click the drop down menu and select “Legacy Support Enable and Secure Boot Disable” and un-select “Fast boot” and ROM OPTION IS “All UEFI”
From the “Main Tab”, click “Save Custom Defaults” and select “Yes” on the next prompt
From the “Main Tab”, click “Apply Custom Defaults and Exit” and select “Yes” on the next prompt
On the next step, enter the number displayed on the screen (mine was “3853” yours might be different) to confirm the change to the system secure boot configuration
Also verify the legacy boot order is set to HDD first before any other drive. i.e.HDD, Network, USB, DVD.
Save settings and exit.
Then Press “F12” immediately as the PC exits boot menu, to enter Network boot…and you missed it just restart the PC and Network boot it as you would normally using F12 key.
The next steps from here are the same as the normal SCCM build process i.e. select the task sequence, etc.
After build completion, make sure you can login to the Laptop and verify the C drive is completely encrypted-it should have bitlocker encryption “Padlock key” icon at this point showing it’s been encrypted.
Right click the C drive and choose to back up the recovery key-follow the wizard setting the “PIN” in the process and save the Recovery Key to a network location e.g. “\\......\D$\tmp\MBAMBKUP” folder or any other location if you can’t access the above folder.
Do a “gpupdate /force” to apply the MBAM settings and initiate the connection with MBAM database by the MBAM agent and also have the recovery key replicated to the database
On rebooting, the bitlocker prompts for recovery key instead of TPM PIN.

*Note: I have suspended and resumed encryption, disabled and re-enabled, as suggested by Microsoft technet articles and other blogs but the issue repeats on reboot no matter what I do. There is no firmware/BIOS update or so and we haven’t encountered this issue with any other hardware models before “HP ProBook 640 G3”. We have “HP ProBook 450 G3” and “Surface Pro 3 tablet” and they are okay with bitlocker encryption-no issues at all. We are using same task sequence and build process for all our computers devices.

Also, I have suspended Bitlocker (no need to disable your TPM), then rebooted into the computer ( Windows 10) again (and re-enabled Bitlocker- it actually re-enabled automatically ) to no avail.

Any help will be appreciated please?

teaseler · ‎05-24-2017

After logging this with hp, they have released a new bios version last month which fixed this problem and uefi boot problems too. Look for bios 1.03 released in April and update.

View solution in original post

Tryambak_D · ‎03-22-2017

Hi Sheddie,

Thank you for visiting the HP Forums! A great place where you can find solutions for your issues with help from the community!

If BitLocker encryption fails, download and install the following SoftPaq and encrypt the drive again:

To resolve this issue, download and install the following SoftPaq:

SoftPaq Description	Release Notes	Download SoftPaq
Hitachi Hard Drive Firmware Update Version: 2.1 Revision: A Pass: 1	SP72533 release notes	SP72533 file download

NOTE: A more recent version of this software may be available. Check for newer versions at http://www.hp.com/drivers .

Thanks,

TD

****Click the White thumb to say thanks****

****Please mark Accept As Solution if it solves your problem****

I am an HP Employee.

Sheddie · ‎03-23-2017

Thanks for the reply but it didn't solve the issue.

The issue is not bitlocker encryprion failing. The system drive encrypts completely. But the system on reboot can not access the TPM Password and User PIN to enable it boot into the OS fully instead goes into recovery mode and request for the 48 digit recovery-key.

However, I tried the Firmware update like you suggested but the firmware is not applicable to the Hard disk model: "SanDisk SD8SNAT-128G-1006" unfortunately.

teaseler · ‎03-23-2017

+1 we are also experiencing the same problem. Probook 650 7th Gen intel chip..

Schuliebug · ‎05-24-2017

Same issue here! We received a few HP ProBook 650 G3's and were able to PXE boot them to receive a standard Windows 10 Enterprise installation (still build 1511). We followed the instructions to be able to PXE boot the device, but when the drive is bitlocker enabled (we use a RES Automation task to enable Bitlocker and store the recovery in AD) it asks for the recovery key every time at boot!! The same sequence worked well for HP ProBook 650 G1 & G2, ZBook 15 G1 to G3, HP ProBook 6570b, HP EliteBook 840 G2, HP EliteBook 850 G1 & G2 and so on!?!?

And suddenly we receive this model and everything falls apart 😞 I'm a bit annoyed about this!

teaseler · ‎05-24-2017

After logging this with hp, they have released a new bios version last month which fixed this problem and uefi boot problems too. Look for bios 1.03 released in April and update.

Schuliebug · ‎05-29-2017

I'm already running BIOS version 1.03 for the HP ProBook 650 G3 and still bitlocker asks for the recovery key every boot. I'm now testing the following:

- Install from WDS without applying the latest WSUS updates (should be a faster test)

- Whitin the WDS I've got a RES Automation Manager job, which now only enables the bitlocker and stores the key in AD and doesn't installanything else (normally the RES job installs the software packages)

For previous versions of the HP ProBook 650 G's this sequence always worked flowlessly, but suddenly with the G3 version it fails. The only thing changed is the hardware (HP ProBook 650 G3 instead of HP ProBook 650 G2 or other HP's) so the issue is definitely the HP ProBook 650 G3!

Updated 2017-05-29, 14:04 GMT+2: I've found this article https://support.hp.com/gb-en/document/c05381064 that states GPT is needed for the boot partition instead of MBR. I've also installed the latest version of MDT to be sure there's no issue with that. I'm running the MDT installation now..

Updated 2017-05-30, 08:45 GMT+2: even with GPT as volume the TPM can't be used. I've received numerous messages:

Bitlocker could not be enabled

The BitLocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available.
Within tpm.msc the status displays 'The TPM is not ready for use'

When choosing to prepare the TPM the following error occurs:

Unable to turn on TPM security hardware

Unable to turn on TPM security hardware

The TPM was not turned on due to an active directory backup faillure. Please contact your system administrator for assistance.

We're using MDT (updated to the latest version)/WDS and with computers with TPM 1.2 or with computers without a TPM there are no problems at all. Suddenly with this TPM 2.0 I'm getting this message!

Schuliebug · ‎05-30-2017

I used this HP advisory to downgrade to TPM Firmware version 1.2 and after that everything works like a charm again. My current settings:

MDT installs on a MBR volume
Within MDT Bitlocker is enabled
I have a BitLocker GPO set

@echo off
rem Enable bitlocker..
rem
rem Check status disk
manage-bde -status %systemdrive%|findstr /i /c:"Protection Status:"|findstr /i /c:"Protection On" >nul
if %errorlevel%==0 goto _end

rem
rem Enable TPM
manage-bde -protectors -add %systemdrive% -TPM
rem
rem Enable RecoveryPassword
for /f "tokens=2 delims== " %%i in ('manage-bde -protectors -add %systemdrive% -RecoveryPassword^|findstr /i /c:"ID: {"') do set NUMERIC_ID=%%i
rem
rem Backup to AD..
manage-bde -protectors -adbackup %systemdrive% -ID %NUMERIC_ID%
rem
rem Enable bitlocker
manage-bde -protectors -enable %systemdrive%
pause

:_end

I used RES to actually enable BitLocker using the above script

When using the TPM version 2 I tested:

UEFI PXE boot
GPT volume
Several BIOS settings
I received several errors about the TPM, including:
- Bitlocker could not be enabled
- Unable to turn on TPM security hardware (due to an Active Directory backup failure)
- TPM enabled, with reduced functionality

Nothing seemed to work..

So, the solution is to downgrade to TPM 1.2 and everything works like a charm!

Schuliebug · ‎05-31-2017

At last we got it working! Yesterday we tested the old legacy way which worked well when TPM 2.0 was downgraded to 1.2 (see an earlier post). Today we tested for TPM 2.0 and Secure Boot. Hereunder our solution:

DHCP, add or alter options:
- 060: PXEClient
- 067: Boot\x86\wdsmgfw.efi (UEFI boot)
WDS/MDT (advise: update to the latest MDT and adsk):
- GPT volume instead of MBR
Laptop:
- TPM 2.0: enabled
- Secure Boot enabled, Legacy Boot disabled (so no legacy of UEFI with SCM!)
- Fast Boot: disabled
- UEFI Boot: PXE IPv6 disabled (no legacy boot available)

Using the above options installing several HP devices went well, i've tested with:

HP ProBook 650 G3 (TPM 2.0)
HP ProBook 650 G2 (TPM 1.2 & 2.0)
HP ProBook 650 G1 (TPM 1.2)
HP ProBook 6570b (TPM 1.2)
HP ZBook G3 (TPM 1.2)

Strahle · ‎11-22-2017

In my case, the BIOS Option Fast Boot caused my problem. It was activated.

Once fixed my config file everything was working like it should.

Here is my working file.

BIOSConfig 1.0
;
TPM Device
Hidden
*Available
TPM State
Disable
*Enable
Clear TPM
*No
On next boot
TPM Activation Policy
F1 to Boot
Allow user to reject
*No prompts
Legacy Boot Order
HDD:SATA:1
HDD:USB:1
CDROM:SATA:1
NETWORK:EMBEDDED:1
UEFI Boot Order
HDD:SATA:1
HDD:USB:1
CDROM:SATA:1
Fast Boot
*Disable
Enable

HP ProBook 640 G3-Brand New- Bitlocker issue: Asks for RecoveryKey on reboot no matter what??

Create an account on the HP Community to personalize your profile and ask a question