Issues Resulting in Bitlocker Recovery Mode and Their Resolution
My name is Tanner Slayton and I am a Sr. Support Escalation Engineer for Microsoft on the Windows Core Team. I am writing today to shed some light on a common Bitlocker problem that we see.
* While you can accomplish most tasks via the Bitlocker Control Panel Applet, I am going to be using the manage-bde commands from an elevated command prompt.
Specific operations or actions will cause Bitlocker to go into Recovery Mode and ask you to enter the 48-digit Recovery Key. This can be caused by several things, and a complete list can be viewed here , but today I am going to go over the most common issues.
Scenario # 1: When you are using a Laptop or Desktop computer and do not have the BIOS Boot order with the OS HDD listed as the first boot device. The reason for this is the boot device makes up part of the system measurement used by Bitlocker and this must remain consistent to validate the system status and unlock BitLocker. (I.e. if you have the DVD-ROM drive listed first and had a bootable media inserted, this can cause the system measurement to change.) Some firmware will also treat PXE network boot as a change in boot order – even when the user does not choose network boot. Changing from a wireless to wired network can trigger a recovery event. Putting the HDD first in boot order generally eliminates these issues.
Resolution:
o Suspend Bitlocker drive encryption by typing "manage-bde -protectors -disable c:” from an elevated command prompt.
o Go into the BIOS and change the Boot Order so the OS HDD is first in the list.
o By default from most hardware vendors, the HDD is not the first boot device.
o If you have a laptop with a docking station, make sure that it is plugged into the docking station, in order to make sure that the external devices presented by the docking station are present in BIOS.
o Boot into the Operating System and run "manage-bde -protectors -enable c: "
Scenario # 2: When you are either deploying a new system or encrypting the drive for the first time. You might pause the Bitlocker encryption process, in order to speed up the performance or while performing other tasks, so that encryption can run later or you need more than the 6 GB worth of free space to continue deploying the system. When you run "manage-bde -pause c: " you are pausing the drive encryption of C:, but not the Bitlocker protectors on the system.
You might say to yourself, if I run "manage-bde -status c: " I see that the protection is off on that drive. The reason you see this is that the protection for the drive is not yet completed, but the clear text key still exists.
Volume C: []
[OS Volume]
Size: 37.17 GB
BitLocker Version: Windows 7
Conversion Status: Encryption Paused
Percentage Encrypted: 3%
Encryption Method: AES 128 with Diffuser
Protection Status: Protection Off <--- Where it shows "Protection Off"
Lock Status: Unlocked
Identification Field: None
Resolution:
o When you need to pause the encryption, whether for performance or drive space reasons, you need to run "manage-bde -pause c: "
o After encryption has been paused, you will want to run "manage-bde -protectors -disable c: "
o Once you have completed your tasks and wish to start the encryption process again you can run "manage-bde -resume c: "
o Once the encryption is complete, or if you have completed your tasks, you will then want to run "manage-bde -protectors -enable c: "
Scenario # 3: The BIOS / TPM firmware are out of date on the systems.
Resolution:
o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c: ”
o Update the BIOS on the system
o If there is a TPM Firmware update, please follow the vendor installation instructions.
o Reboot the Operating System and run “manage-bde –protectors –enable c: ”
Scenario # 4: When you are installing additional language packs onto the system, and selecting the option to apply the language settings to all users and system accounts. This causes a locale change in the BCD (Boot Configuration Database), which Bitlocker with TPM interprets as a boot attack.
Resolution:
o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c: ”
o Add language packs to the system and make any language settings.
o Resume Bitlocker drive encryption “manage-bde –protectors –enable c: ”
Scenario # 5: When you create or modify any of the partitions that reside on the O/S drive.
Resolution:
o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c: ”
o Shrink, expand, or create any partitions on the drive.
o Resume Bitlocker drive encryption “manage-bde –protectors –enable c: ”
I want to thank you for your time today and hope that this information was helpful.
Tanner Slayton
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
Technorati Tags: bitlocker,TPM
Comments
- Anonymous
January 01, 2003
Also the article shows Microsoft is very short sighted when it came to Bitlocker and how recovery mode is triggered. Some companies need to leave the PXE boot enabled as not all users can be walked through the BIOS. We dont have the budget to purchase say VPro from Intel to manage the BIOS and our machines are spread through 200+ remote sites. If the machine needs to be reimaged we also cannot afford the shipping costs to send the machine back to a config lab for reimaging. Instead we reinstall on site and leave the PXE boot enabled for just such a reason. Here is where PCR10 does not make sense, PXE boot was enabled before bitlocker was enabled. If you hibernate the machine then it sends Bitlocker into recovery mode but with PCR 10 disabled everything runs fine. Very short sighted Microsoft!!!!! - Anonymous
January 01, 2003
I'm looking for assistance on Panasonic Toughbook models CF-52 and CF-53 and their docking station. When bitlocker is enabled while docked, they go into recovery mode undocked. Suspending and resuming protection works for subsequent undocked boots. When redocking, recovery mode is triggered again. Again, suspending and resuming protection will resolve for subsequent docked boot. Once the laptop is undocked, recovery mode is triggered again. I've tried disabling option 0 and 2 in the verification profile in group policy as recommended in another article, but it has had no effect. Any insight that can be provided would be greatly appreciated. - Anonymous
September 20, 2010
VERY helpful information. I would have thought Microsoft would post something similar to this. Thanks again for your work! - Anonymous
November 08, 2010
Hi, very good post. But these scenarios do not cover everything. What would you do in a case where bitlocker encrypts an external hard drive and stores the password on local system. And after doing that, it is unable to decrypt the external drive even when provided with right password or key? If you need more details, you can see my post here....I have had a disaster with it...and havent recovered :(Win 7 is a breeze of fresh air ... but having these problems is like having the golden (or blue ) days back!!windows.bigresource.com/Track-vista-CNYFiaMx - Anonymous
March 24, 2012
I have encrypted my D: which size is 130 GB. After installation 3days it was working properly but now it is not booting and while the booting process it is asking for Bit locker recovery file. so pls help me.My id is sandybamane13@gmail.com - Anonymous
April 23, 2012
We have been deploying bitlocker for well over a year. We do set HDD first in the bios under all boot orders but on our m91's a USB drive left in the USB port still throws a bitlocker code request, even after removing it from the boot order in the bios. Anyone run into this? - Anonymous
September 05, 2012
Thanks for the post, solved my problem with the first scenario. - Anonymous
May 30, 2013
I am facing the issue with Bit locker where it is failing with error "The System cannot find the file specified"Can you please help me to get out of this?Thanks in advance.Mahadev Nitture - Anonymous
July 28, 2013
How about this cause: I have two 64 GIG USB sticks from the same manufacturer and had both Bitlockered. Things where fine until today when writing to one of the USB sticks failed. It now reports "no media" and a dialog that says "Please insert a disk into Removable disk (E:)" appears if I try to view it. OK, fine, maybe the USB stick actually failed. However when I remove that USB stick, reboot, and try the other (almost unused) USB stick it asks for the Bitlocker password and refuses to accept it. If I try to give it the full recovery key it also refuses that. It appears that the failure of one USB stick has caused a different stick (of same brand) to be unusable. Other USB sticks, both clear-text and bitlockered, still work. The second USB stick does NOT report no media, it is purely a bitlocker issue with that one. - Anonymous
August 05, 2013
Scenario 5?Laptop lcd is shattered, need to move the bitlocker hard disk into another chassis. System continually prompts for recovery key. How do you move a disk to another computer (same model, TPM enabled) permanently?- Anonymous
June 27, 2017
For this, I have found the best thing to do is decrypt, shutdown, start it back up, then re-encrypt.
- Anonymous
- Anonymous
September 12, 2013
@Eric1) After you enter recovery key and boot, suspend Bitlocker2) Activate and then take ownership of the TPM3) Resume Bitlocker and reboot and confirm you are longer prompted for recovery key - Anonymous
November 20, 2013
Hi there,Does anyone encounter the Bitlocker recovery mode wont able to trigger? I disabled TPM and run the -forcerecovery command to trigger the Bitlocker recovery screen unfortunately it goes to WPE command prompt.I am using Lenovo Helix T510 4349-BF6 running on Windows 8 Enterprise Edition build 9200 (64-bit).Any input is highly appreciated.Thank you. - Anonymous
April 01, 2014
Hi,
We have windows 7 x64, every month after patching we are seeing 100 -200 odd cases where bitlocker gets into recovery mode, machines are always different and once we provide a recovery key it works fine.
However it is becoming a pain.. Any suggestions will be helpful.
Regards - Anonymous
September 17, 2014
What about the installation of Windows Updates and when the machine reboots after configuring BitLocker is asking for the BitLocker Recovery Key? - Anonymous
January 19, 2015
First I want to thank you for your great and useful articular.
I have some question and I hope you could assist me:)
I am trying to check the logs to see the changes in Boot Configuration Database but not sure which log if any? are you able to advice me which log I could check on windows 7 64 professional. also if there are log that could show when and why the bit locker was targeted?
Thanks in Advance - Anonymous
February 19, 2015
The comment has been removed - Anonymous
March 31, 2015
I'd like to reiterate questions by Shankar and Darrell. We keep seeming to see a spike in recovery key requests after patch cycles distributed through our KACE software management system and after Windows Updates. We cannot find specific triggers and all the typical fixes (those listed above were familiar to us) don't seem to help long-term. - Anonymous
June 22, 2015
I have a question about a machine I have where randomly it requested the bitlocker key after a few years of running no problem. So I entered the key manually and it came back up just fine, but when I did a reboot it asked for it again. The only way I thought to fix this was to make a new key, which worked but now its boot up takes longer and looks like its scanning the DHCP and shows the MAC address for awile on the screen. I tried to view your file above for reasons it asks for the key but was unable to. Any help would be great thanks.
1st what could have caused this
2nd how can I fix this? - Anonymous
August 13, 2015
Hi. My bitlocker goes into recovery whatever I do. I have a fresh install with initiated and owned tpm and the only changes I have done is in gpedit where I have activated pincode in further authorization. I have the os drive as the first and only drive in the startup list in bios. Everything else is inactivated. I have nothing plugged in except keyboard/mouse. I know the boot manager is the culprit since it works if I untick pcr10. Could someone list some reasons that could be the cause? Or some way for me to find out on my own?
Thanks - Anonymous
September 22, 2015
We have problem while deploying OS from SCCM, We are able to image new BRAND laptop which disks are not encrypted but when we re-image existing laptop it works. The error is:--The driver is locked by bitlocker Drive Encryption. You must unlock ......but we have TS to disable the same but still we are getting same error.- Anonymous
June 08, 2016
You need to wipe the disk prior to the re-imaging process.Using SCCM, I normally press F8 to bring up the command prompt and then use diskpart to delete the partitions.This solved it for me.
- Anonymous
- Anonymous
October 20, 2015
thank you - Anonymous
December 19, 2015
HI, my name is Navid. thanks for your helpful information. i have been faced a problem with bitlocker recovery key: I encrypted 1 TB external drive with bitlocker, but now it doesn't accept the recovery key. Recovery key is correct but when i enter a message appear that "your recovery key is incorrect".
Please anyone has any idea or solution let me know: i just want get back my data.
thanks
Navid
navid1.navid23@gmail.com - Anonymous
August 18, 2016
I've enabled bitlocker on my Dell 5570 with docking station. I use a wireless mouse and keyboard but they will only be detected if the dongle is in the laptop. If the dongle is in the docking station or connected monitor, I can't enter the bitlocker password. I have to put the dongle in the laptop USB port for the keyboard to be detected. What can I do to enable the keyboard for bitlocker password entry with the dongle in the docking station? I don't want that dongle protruding from my laptop when I take it out of the docking station. I only need the wireless mouse and keyboard when I'm docked.Thanks- Anonymous
August 29, 2016
You guys aren't too useful. Two weeks and no response?
- Anonymous
- Anonymous
August 25, 2016
Hi. I'm joining this conversation to say I'm very unhappy with this bitlocker gizmo. I never asked for it but windows 10 has encrypted all my files and when I made a restoration I have suddenly found I have lost everything - the computer (xps 13) won't boot and when i input the bitlocker code I have managed to recuperate it starts off the boot process which forever ends with the bitlocker code needing to input. I have spent hours with Dell technicians and they have provided me with a new hard drive. Great so I lose all my files. I've tried using a boot key to repair, I've tried inputting commands but I always end up with commands that can't be followed because the drive is protected. With friendly protection like this who needs enemies? If you have any suggestion let me know.rupertsalmon6@yahoo.frFirst thing I'll do when I finally get back onto a working PC will be to disable bitlocker!- Anonymous
January 04, 2017
Upon encryption with Bitlocker (to go), I cannot access my USB drive anymore after plugging it in my computer. It does make the connection sound, but it just doesn't show up. I tried everything I know, ranging from conducting tutorials on 'disk management' and 'device manager' to online helpdesk instructions, peer suggestions and forums. Nothing works. If necessary I can further explain in more depth. Please help me as my USB drive contains important files (both for work and private).
- Anonymous
- Anonymous
March 23, 2017
The comment has been removed - Anonymous
December 04, 2017
just press F12 in startup , go in boot menu and select "windows boot manger" hit enter then get relax & cool - Anonymous
February 22, 2018
The comment has been removed - Anonymous
March 06, 2018
The comment has been removed