Using BitLocker? Watch It When Updating Your PC's BIOS

I just got a new laptop and the BIOS support the Trusted Platform Module (TPM) which basically lets you store the BitLocker decryption key in the BIOS so you don't have to enter a 48-key password or carry around a USB key with you to boot the system. I decided to encrypt the hard drive if the laptop was lost, my music collection would be unmolested by the finder.

I am of the "if it ain't broke, don't fix it" mentality so I usually skip the BIOS upgrades for PC's since it is one of the few things you can to do a PC that can cause total failure, requiring a tech visit. However, my touchpad was acting funny and sure enough, Dell had improved touchpad behavior in a BIOS released just last week. What I didn't know, and the BIOS upgrade README didn't mention was, there are steps you need to take if you have BitLocker enabled.

You know that feeling you get in your stomach when you realize you just formatted the wrong partition, or realize you put sugar in the gas tank of the wrong neighbor? That was the feeling I got when the system booted and I was greeted with a text screen saying something to the effect of "Dude, you are screwed. All of your data is encrypted and you changed the BIOS, so now I can't boot up normally." It actually had some technical terms in it, but I translated for you.

Fortunately, I had my BitLocker recovery key on a USB drive, which was foolishly encrypted with BitLocker To Go, so of course it couldn't be used to boot the machine. Note that nowhere in Microsoft's documentation of BitLocker does it say to not encrypt the recovery key. At least not in the part I read, which was the first two sentences.

Long story short, I got the key off using another computer (BitLocker To Go is pretty cool when dealing with non-Windows 7 PC's actually) and printed it off. I went through some confusing screens at boot and finally got to a point where I could enter all 48 numbers. It booted normally and that was that I thought.

Wrong.

On the next boot, it did it again! Crap. Unless I fixed this, I'd have to enter 48 digits everytime the system booted. Off to Dell's knowlegdebase. After finding the article link on Dell's site that deals with this, it simply led to a page that said in big red letters "I'm sorry. The really important article you have requested is not showing up right now, so come back later when maybe one of the tech support people will read the error log and realize that this life saving article is not working properly and restore it."

Again, I translated geek speak into English for you.

Turns out the fix is pretty easy.

1. Open the Control Panel. (This of course assumes you got the machine booted. If not, and you cannot find your recovery key, then you can stop reading the computer's error message after the "Dude, you are screwed" line.)
2. Go to the Security section
3. Click on BitLocker
4. Next to your boot drive, click Suspend.
5. Now click Resume.

That's it. The suspend/resume process will regenerate the key and write it to the TPM so you don't have to keep your USB key handy.

If you haven't updated your BIOS yet, do steps 1-4 above before applying the BIOS, then step 5 after it reboots.