Share via

BitLocker requires recovery key after taking Surface Pro 3 out of docking station

Anonymous
2017-02-22T19:59:03+00:00

I have a Surface Pro 3 with Windows 8.1 and BitLocker enabled. When I take the pro out of the docking station BitLocker requires the recovery key. After putting in the recovery key I then suspend, reboot and re-enable BitLocker and all is good again. When I put the Pro back in to the docking station, again I am required to put the recovery key in and go through the above motions to make all good again. Has anyone run in to this issue and have a fix for it? Any help is greatly appreciated.

Surface | Surface Pro | Safety and security

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2017-02-25T09:21:33+00:00

    Thank you for updating us. We suggest that you follow these steps:

    Check if your device is binding to PCR[7]

    1. On the Start screen, type msinfo32. The msinfo32 app appears in the Search bar, with a computer icon next to it.
    2. Right click on the msinfo32 app in the Search results and click Run as administrator.

    If you aren’t using an administrator account, you will need to supply the user name and password for an administrator account.

          3. Click Yes on the User Account Control dialog box.

          4. In the System Summary view, locate the PCR7 Configuration item and check the value.

    • If the value of PCR7 Configuration is Bound or Binding possible, then no further action is required.
    • If the value of PCR7 Configuration is Binding not possible, follow the steps under Enable binding to PCR[7].

    Enable binding to PCR[7]

    1. If BitLocker is enabled, save your BitLocker recovery key and then suspend BitLocker:
    • Save your BitLocker recovery key to a USB flash drive:

    a. Have a USB drive available that you don’t use for anything else.

    b. On the Start screen type BitLocker, and in the search results tap or click Manage BitLocker

        This opens the BitLocker Drive Encryption Control Panel window.

    c. Tap or click Back up your recovery key and follow the instructions to save your recovery key to a file on an external drive.

    • Temporarily suspend BitLocker:

    a. While still in the BitLocker Drive Encryption Control Panel window, Tap or click Suspend protection

    b. When asked “Do you want to suspend BitLocker protection?” click Yes.

         2. Follow these steps to reboot Surface into the UEFI configuration menu:

    • Swipe from the right edge of the screen and tap or click Settings.
    • Tap or click Change PC settings.
    • Tap or click Update and recovery.
    • Tap or click Recovery.
    • Under Advanced Startup, tap or click Restart now.
    • When Surface restarts, tap or click Troubleshoot.
    • Tap or click Advanced Options.
    • Tap or click UEFI Firmware Settings.
    • Tap or click Restart.

         3. The system will restart and boot into the UEFI configuration menu.

         4. Under Secure Boot Control, click Delete All Secure Boot Keys. The system will ask you to confirm.

         5. Tap or click Yes to confirm.

         6. Under Secure Boot Control, tap or click Install All Factory Default Keys.

         7. In the popup menu, tap or click Windows & 3rd-party UEFI CA (Default).

         8. Tap or click Exit Setup.

         9. Tap or click Yes to save the configuration and reset the device.

    The system will restart and boot into Windows.

    Confirm that BitLocker can bind to PCR[7]

    Following the steps under Check if your device is binding to PCR[7], above.

    Enable BitLocker or bring out of suspension

    1. At the Start screen, type BitLocker.
    2. In the search results, tap or click Manage BitLocker.
    3. Tap or click Resume protection, or if BitLocker is turned off tap or click Turn on BitLocker.

    Let us know how it goes.

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2017-02-23T15:27:01+00:00

    Hi James,

    Let's investigate this for you. Please answer the following questions:

    1. Are there other devices connected to the dock?
    2. What is the power state of your device when you dock/undock it?
    3. Is the BitLocker recovery key required when you turn on or restart your device without docking?
    0 comments
  2. Anonymous
    2017-02-23T18:41:46+00:00
    1. Just a data cable and mouse, the keyboard is connected directly to the Surface.
    2. the device is charged ?? I do a full shutdown before I remove or re-insert the Surface to the dock.
    3. Only when I boot it up after removing it from the docking station or hooking it back up to the docking station. After I suspend, reboot and re-enable BitLocker it boots without needing the recovery key.
    0 comments
  3. Anonymous
    2017-02-27T15:10:20+00:00

    Thanks, this put me in the right direction. It wasn't that the secure boot keys were bad it was that secure boot in the UEFI was disabled. Once I enabled, the prompts for the recovery key stopped. Thanks again.

    0 comments