This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Encryption recovery key needed after 'PC Configuration change'

We are new to using the Encryption product and we've set up on the default policy now with 22 users for monitoring... so far we have had 5 users after starting their machine neededing to enter the recovery key due to 'PC configuration change'.

My question is, what would make this happen? Windows version change/updates? We have put a hold on adding more users as if this is a common step our support will be overrun with calls for keys.



This thread was automatically locked due to age.
  • Hi Doing-Bits,

    finding out the reason why BitLocker triggers a recovery can be tricky. This is btw independent of SafeGuard.

    MS has documented the common reasons (and other BL related topics) in this article:

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq

    QUOTE

    Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. For example:

    • Changing the BIOS boot order to boot another drive in advance of the hard drive.
    • Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
    • Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.


    From my own experience, the recovery is mostly triggered, when BIOS or Firmware updates are done, without suspending BitLocker. 
    Funny enough the other common reason is a bad BIOS/UEFI. We had quite some fun for example with several Dell product lines in combination with USB-C docking stations, which was then solved by new BIOS and Firmware updates.

    It´s definitely worth checking with your hardware vendor if there are known issues in that area.

    Cheers
    F.

     

     

     

  • I can add to the Dell issue Funkey raised too - Experienced that here too. 

    I'd also add - Surfaces need some consideration. If you allow Windows Updates for Business it's possible that firmware/driver updates can de pushed down to the machines. It's easy to overlook these as they're bundled into the "standard" updates you might be downloading. Some of these updates SHOULD be BitLocker aware (many BIOS updates for Dell/HP are and detect BitLocker is enabled) but it's sadly not 100%