Hey guys! I'm running W10 64-bit with Bitlocker set up with a password at boot. All has been well for ~2 months, until today when I restarted my PC when I noticed my WiFi wasn't working (when in doubt, restart). Bitlocker prompted for my PIN as usual, but it would not accept the one I've been using for all this time! I'm absolutely certain I had the right one. Luckily I was able to use my recovery key to boot, and I opted to disable BL for now. I feel naked. Has this happened to anyone? I read on another site that this could be caused by an OS update. I did install an update on Thursday night, but I've restarted a couple of times since then and all was fine. The only thing I can think of, is I updated SBIE from 5.11 to 5.14 after I updated windows and restarted, but did not restart after that, until today. Other than that, I haven't modified the system in any way. Any ideas?
Only thing I can think of is that something's triggered the TPM rules for boot? Those can sometimes be trigger happy, especially if the upgrade was associated with changing boot behavior or software. Anything in the system logs?
Ah, as it just so happens, there are a handful of entries under the "Security" tab with keyword "Audit Failure" and code "5061". I was able to duplicate this just by restarting -- I'd get 4 entries in the log each time. Some sleuthing indicates that it might be related to my Nvidia graphics driver. So, I uninstalled the various components that come with it, restarted and... the errors remained. *BUT* then I downloaded the latest driver and installed it, restarted and... no more entries! So, my Nvidia driver may have somehow triggered TPM to lock?
I guess the graphics driver is going to be loaded pretty early, and if a version of that is attempting to write to unusual places or with a different signature, that might have the potential to trigger the TPM/OS verification. Had you updated that driver? Mind you, I haven't looked in detail at what W10 and TPM 2.0 (I take it that's what it is), include in their metrics for something having altered the system boot process significantly. Of course, having good backups and the recovery key is prudent at this point!
I've updated the graphics driver a few times recently without any issues, which makes this so weird! I'm considering ditching bitlocker for veracrypt after this... The fact that the author has no plans to support TPM makes it really tempting...
Let me be really helpful and say - that depends...(!) My take is that, if you are using Windows, Bitlocker is probably not what should be top of your list of worries, and it does allow you to encrypt GPT/EFI system partitions, and is commercially supported. Whatever your views of TPM, from a standard commercial risk perspective, it's highly convenient having the TPM take on some of the load so you're not asking people to enter long strong passwords every time the system boots; and Bitlocker doesn't consume additional drive letters. It also, if you've encrypted the system partition, allows you to transparently open other drives without entering their passwords every time, which is very convenient. While veracrypt is developing efi support, it's not necessarily ready for prime time in that context. A critical watershed for them was the recent publication of their security audit, including what they've fixed from the Truecrypt audit. This makes veracrypt the most attractive option for cross-platform file/disk encryption today IMO.
