BitLocker Drive Encryption, Boot Priority and Windows to Go

Randy Guthrie – Microsoft Technical Evangelist
https://blogs.msdn.com/MIS_Laboratory

Recently I ran into a problem with BitLocker Drive Encryption on my work laptop (Lenovo W500) where BitLocker keeps prompting me to enter the 48-character “recovery-key” every time I start the computer after undocking it from work and either starting it off of the dock, or docking it at home. I have two docking stations; one in the home office and one at my work office.  After calling our internal tech support I learned something very interesting about BitLocker, BIOS boot priority settings and Windows to Go that I wanted to share.

First off, upon start-up, BitLocker looks for any suspicious changes in hardware that might indicate that someone removed a bootable hard-drive from a machine with a Trusted Platform Module (TPM) chip in an attempt to by-pass the BIOS start-up password. When BitLocker suspects this might have happened, it requires the entry of the recovery-key upon start-up as an added layer of security.  This is what was happening to me.

The reason it was happening was the result of two things. First, I have changed default boot priority on my machine to look at USB fixed disks and USB hard drives, as well as the optical drive before attempting to boot from the internal hard drive. The reason I have the USB FFD and USB HDDs first in the boot priority list is because I use Windows to Go, and I want my BIOS to look for the Windows to Go drive and boot from that if it has been inserted, rather than boot from the internal drive. The second factor that contributes to BitLocker thinking something is amiss is that my docking station at home has a secondary storage hard drive unit, which the USB HDD boot priority detects upon start-up and looks to see if it is bootable. These two conditions combine to make BitLocker think I’ve taken the hard drive out of my laptop and another OS is attempting to access it.

According to my very knowledgeable help-desk technician, this isn’t a “bug” per se but the result of BitLocker actually doing what it is supposed to do, ie: making stealing data off of my laptop very, very difficult if not impossible. 

Knowing why and how this works lends itself to several solutions: (1) change the boot priority back to look at the internal hard-drive first or (2) remove the secondary storage drive from my docking station (I don’t use it for anything other than occasional back-ups). Since my Lenovo laptop can provide various boot options when you press F12, including booting from a Windows to Go drive, I chose to change my boot priority so that the internal hard-drive boots first. I can always change the priority back if I’m building a bunch of Windows to Go drives for a workshop, but for now, I’m happy not having to enter the recovery-key when I switch back and forth between work and home, and I can easily boot from my Windows to Go drive by hitting F12 after pressing the start button.

 

Cheers,

Randy