BitLocker Recovery Key Prompt Issue in Windows 10 …

We have several Lenovo E560 laptops deployed with Samsung EVO 850 SSD's and Windows 10 1709. These happen to have the Infineon (IFX) TPM chips and we have BitLocker full-drive encryption with eDrive (hardware encryption) enabled using UEFI/Secure Boot. The key protectors are TPM+USB key and Numeric PIN for recovery. They produce this message in the tpm.msc console:

The TPM firmware on this PC has a known security problem. Please contact your PC manufacturer to find out if an update is available. For more information please go tohttps://go.microsoft.com/fwlink/?linkid=852572

I read the article athttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

An issue has been occurring after the March 2018 Cumulative update installs (KB4088776) and Windows restarts. The OS drive prompts for the recovery key. No problem here as we enter it and the drive unlocks. However, in Windows, the Manage BitLocker console reports that BitLocker is turned off! Also the manage-bde -status confirms that the drive is fully decrypted and protection is off.

Disk volumes that can be protected withBitLocker Drive Encryption:Volume C: [][OS Volume]

Size: 465.21 GB BitLocker Version: None Conversion Status: Fully Decrypted Percentage Encrypted: 0.0% Encryption Method: None Protection Status: Protection Off Lock Status: Unlocked Identification Field: None Key Protectors: None Found

From Diskpart:

Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 450 MB 1024 KB Partition 2 System 100 MB 451 MB Partition 3 Reserved 16 MB 551 MB Partition 4 Primary 465 GB 567 MB

On the first laptop in which I encountered this, I tried to turn BitLocker back on, but on reboot during the check, it corrupted the Windows bootloader and put me in an automatic recovery repair loop. I was able to get out of the that, but the BitLocker recovery key prompt remained. Even clearing the TPM in Windows or manually from the BIOS doesn't resolve it. Also disabling the TPM in BIOS doesn't resolve it. What DID resolve it was deleting all the partitions and installing Windows from scratch.

I then applied a TPM firmware update from Lenovo (updated these from 6.40 to 6.43), now Microsoft no longer reports the vulnerability and all is well.

This took me many hours to diagnose and solve. Obviously, a complete Windows reinstallation is not the way to go and I have several other affected laptops waiting for a fix. But so far, I can't figure out what to do about clearing the BitLocker recovery key. I'd like to be able to do the following:

1. Clear any keys or prompts and allow Windows to boot normally with no BitLocker prompts.

2. Install the TPM firmware update.

3. Re-enable BitLocker.

4. Accomplish this without destroying the Windows installation or causing an OS reinstall.

How can I remove the continual BitLocker recovery key prompting when Windows is reporting that it is not enabled and doesn't exist to begin with?

Link:
BitLocker Recovery Key Prompt Issue in Windows 10 ...