Switching GPUs breaks Bitlocker

I've enabled bitlocker disk encryption on my ssd drive, but when I change between the discrete/nvidia and mshybrid/optimus/intel gpus and reboot, Windows asks me the bitlocker key. Once I enter the recovery key, it stops nagging me until I switch back again. The hw mux was a big selling point of Clevo laptops, but I'd like to keep bitlocker. I've read somewhere (but haven't tried it) that you can pause Bitlocker before hw changes, but it's a nuisance. Anybody has this working?

 

Under the Bitlocker control panel applet there's an option to "Suspend Protection". You should be able to suspend Bitlocker, change MUX, reboot and re-enable. It's a bit cumbersome but there's really no other way around it.

BitLocker is tied to your hardware ID which naturally changes when the MUX is switched (as the Intel GPU and Panel change as far as the system knows.

You might have to look at some other types of drive encryption if you don't want that limitation.

 

Is there an api to flip the mux? I could write a program to automate all steps.

 

Documented API? nope...

The Clevo ControlCenter can flip it in software though, so you might be able to find out how it flips it. Most of it's tasks are farmed out to discrete EXE or batch files.

For reference, you'll find all of it in "C:\Program Files (x86)\HotKey".

You might want to run process monitor over it or similar and see what it touches when you trigger the Mux flip.

 

Hello, open gpedit.msc

Goto Administrative Templates>Windows Components>Bitlocker Drive Encryption>Operating System Drives

Open Configure TPM Platform Validation Profile

Switch to enabled and check the following #'s 4,5,8,9,11

You invite the possibility of a bootloader attack but beyond that it should nolonger bother you for a startupkey on a GPU change, if it still does uncheck #4

You can experiment to increase security but if the above succeds try finding out one at a time if 0 2 and 10 cause it to trip, once you find the culprits enable the other 2. usually it's 0 and 2 causing the issue. Hope this helps


Assuming you are using a TPM?

 

@Stooj I couldn't find how the switch is triggered. Process Monitor doesn't show any work process being created. Maybe it asks a driver to do it? I'll have to investigate how to debug that.

@flame Thanks, disabling PCR 2 did the trick. I also enabled PCRs 5, 8, 9, 10 and 11 as you suggested to try and make up for the loss of security due to disabling PCR 2.

 

You are most certainly welcome. Usually it's caused by option 2 since the GPUs invoke optional ROMs during post which are hidden to the user(unless you enable display optional ROM code in the vbios)

Super glad to know for future reference the cause is indeed 2

 

I would rather have the Intel GPU present even when the screen is plugged to the Nvidia for G-Sync. The TPM wouldn't get confused and the Intel could help the Nvidia if the software takes advantage of the new SLI like configurations in DirectX 12.

 

Well, I've since disabled every group policy setting and Bitlocker doesn't ask me for the recovery key anymore when switching GPUs. I don't know if newer drivers fixed this or what.