Fix: Thunderbolt/eGPU Devices Causing Bitlocker to Lock on Reboot

I’m using an eGPU with my notebook (best of both worlds, really thin energy efficient notebook when I’m mobile and gaming-capable desktop when I’m at my desk), but one problem I’ve been dealing with is when I reboot the notebook if the eGPU was connected/disconnected. This is the expected behavior from a security standpoint because the hardware configuration has changed (remember that Thunderbolt uses a PCI-E interface), though this heavy-handedness causes extra work when I need to keep entering the Bitlocker key. We can change Bitlocker to require a password (will reduce the security overall unless we use a cumbersome password which brings us back to the first issue), but I found a better way.

There’s a group policy which controls which aspects of the computers configuration will influence the need to enter the secret/password.

Local Computer Policy – Administrative Templates – Windows Components – Bitlocker Drive Encryption – Operating System Drives – Configure TPM platform validation profile for native UEFI firmware configurations.

In this section you’ll find many Platform Configuration Registers (PCRs) which can be enabled or disabled. The one which is causing my grief is PCR 2: Extended or pluggable executable code. By unticking the box with the GPO enabled we reduce security slightly for the benefit of convenience (as is usually the case with these sort of things).