This article explains how to retrieve BitLocker keys from Active Directory Domain Services (AD DS). Data that is protected by BitLocker can be accessed by organizations by using the BitLocker data and key recovery information that has been preserved in Active Directory Domain Services (AD DS). During the planning stages for the implementation of BitLocker, it is strongly suggested that a recovery model for BitLocker be developed. BitLocker Key Recovery is possible via simple methods described in sections below.
This article makes the assumption that readers are familiar with how to configure AD DS to automatically back up BitLocker key recovery information and are aware of the different kinds of recovery information that are saved to AD DS.
This article does not include any specific instructions on how to configure AD DS to store BitLocker data information.
Recovery from BitLocker entails what exactly?
BitLocker key recovery tool is the procedure that can be used to regain access to a BitLocker-protected drive in the event that the drive cannot be unlocked in the conventional manner. In the event of a recovery, one may choose amongst the following strategies in order to regain access to the drive:
- It is up to the user to provide the recovery password. Users are able to enter the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online if the organization permits users to print or store recovery passwords. If the organization does not let users to print or store recovery passwords, users are unable to enter the password. Only when BitLocker is installed on a personal computer that is not part of a domain is it permissible to save a recovery password with a Microsoft account that is stored online.
- The drive can be unlocked by data recovery professionals by using their credentials. If the drive is an operating system drive, it will not be possible for the data recovery agent to unlock it until the disk is first mounted as a data drive on another machine.
- An administrator of the domain can access AD DS to retrieve the recovery password and then use that password to unlock the drive. It is advised that recovery passwords be stored in Active Directory Domain Services (AD DS) in order to offer a means by which IT professionals may, if necessary, retrieve recovery passwords for drives in an organization. Enabling this recovery mechanism in the BitLocker group policy setting must be done using this technique in order to comply with the requirements. Choose how BitLocker-protected operating system disks can be recovered from within the Local Group Policy Editor by navigating to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System disks. Please refer to the BitLocker Group Policy settings for further details.
What are the causes of BitLocker Data and Key Recovery?
The subsequent enumeration presents instances of particular occurrences that will prompt BitLocker to enter recovery mode at the initiation of the operating system drive:
- In computing systems employing BitLocker Drive Encryption, or in mobile devices like as tablets or smartphones utilizing BitLocker Device Encryption exclusively, the occurrence of a detected attack will promptly trigger a system reboot, leading the device to enter BitLocker data and key recovery mode. In order to utilize this feature, administrators have the ability to configure the Group Policy setting known as “Interactive logon: Machine account lockout threshold.” This setting can be found in the Local Group Policy Editor, specifically inside the path Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Alternatively, users have the option to employ the MaxFailedPasswordAttempts policy of Exchange ActiveSync, which may be adjusted using Microsoft Intune. This policy serves to restrict the number of unsuccessful password tries allowed before the device enters a state of Device Lockout.
- Modifying the BIOS or firmware boot device sequence on devices equipped with TPM 1.2 results in the initiation of BitLocker key recovery. Nevertheless, in this particular scenario, devices equipped with TPM 2.0 do not initiate the BitLocker data recovery process. The Trusted Platform Module (TPM) version 2.0 does not perceive a modification in the boot device order firmware as a security risk, as long as the integrity of the operating system (OS) boot loader remains uncompromised.
- Placing the CD or DVD drive ahead of the hard disk in the BIOS startup sequence, followed by the act of inserting or removing a CD or DVD.
- The failure to initiate the booting process from a network drive prior to booting from the hard drive.
- The process of connecting or disconnecting a portable computer to a docking station. The inclusion of the portable computer’s docking condition as a component of the system measurement is contingent upon the computer manufacturer and the BIOS. This condition must remain consistent in order to verify the system’s status and enable the unlocking of BitLocker. In the event that a portable computer has been linked to its docking station at the time of BitLocker activation, it may necessitate a continued connection to the docking station during the process of unlocking. In contrast, in cases where a portable computer is not attached to its docking station at the time of activating BitLocker, it may be necessary to unplug it from the docking station upon unlocking.
- Modifications to the NTFS partition table on the disk encompass many operations such as the establishment, removal, or adjustment of a primary partition.
- When the personal identification number (PIN) is repeatedly entered incorrectly, it triggers the anti-hammering logic of the Trusted Platform Module (TPM). The concept of anti-hammering logic encompasses both software and hardware techniques that aim to enhance the resilience and economic feasibility of a brute force attack on a personal identification number (PIN). This is achieved by implementing a mechanism that restricts the acceptance of PIN entries until a predetermined duration has elapsed.
- If you are using USB-based keys instead of a TPM, you should turn off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI software.
- The TPM can be turned off, disabled, deactivated, or reset.
- Updating important parts of the early startup process, such as the BIOS or UEFI firmware, changes the boot measures.
- When PIN security is turned on, forgetting the PIN.
- Option ROM software update.
- Changing the TPM’s software.
- Adding or deleting hardware. For example, putting a new card in the computer, including some PCMIA wireless cards.
- Taking out, putting in, or fully draining a portable computer’s smart battery.
- Changes to the disk’s master boot record.
- Changes are made to the disk’s boot manager.
- Keeping the running system from seeing the TPM. Some BIOS or UEFI settings can be used to stop the operating system from finding out about the TPM. When this choice is used, it can make the TPM invisible to the operating system. When the TPM is hidden, BIOS and UEFI secure startup are turned off, and the TPM won’t listen to commands from any software.
- Using a different keyboard that doesn’t enter the PIN properly or whose keyboard map doesn’t match the keyboard map assumed by the pre-boot environment. This issue can make it hard to enter improved PINs.
- Changing the Platform Configuration Registers (PCRs) that are used by the TPM validation setting. For example, including PCR[1] would cause BitLocker to track most changes to BIOS settings, which would cause BitLocker to go into recovery mode even when changes were made to non-boot-critical BIOS settings.
Some computers have BIOS settings that skip measures to certain PCRs, like PCR[2]. By changing this setting in the BIOS, the PCR reading will be different, which will cause BitLocker to go into recovery mode.
- Putting a BitLocker-protected hard drive into a new computer.
- Getting a new CPU with a new TPM chip.
- When startup key security is turned on and the USB flash drive with the startup key is lost.
- Fail the self-test for TPM.
- Having a BIOS, UEFI firmware, or an option ROM component that doesn’t meet the rules for a client computer set by the Trusted Computing Group. For example, a non-compliant implementation might store data that changes quickly, like the time, in the TPM measurements. This would mean that the measures would be different every time the computer started up, which would cause BitLocker to start in recovery mode.
- Changing the permission to use the TPM’s store root key to a number other than 0.
Note: During the process of setting up BitLocker TPM, the usage authorization number is set to 0. If this value has been changed, it must have been done on purpose by a person or process.
- Windows Boot Manager (Bootmgr) lets you turn off the code integrity check or turn on test signing.
- Pressing the F8 or F10 key when the computer is starting up.
- Adding or removing add-in cards (like video or network cards) or updating the software on add-in cards.
- Using a BIOS hot key to change the boot order away from the hard drive while the computer is starting up.
Before you start healing, you should try to figure out what caused it. This could make it less likely that the problem will happen again in the future. For example, if it turns out that an attacker changed the computer by getting physical access, new security rules can be made to keep track of who is in the room. BitLocker reseals the encryption key to the current values of the measured components after the recovery password has been used to get back into the PC.
BitLocker protection can be briefly turned off to avoid having to start recovery in situations like planned hardware or firmware upgrades. Since suspending BitLocker still encrypts the drive, the administrator can quickly turn on BitLocker protection again after the planned job is done. When you use suspend and resume, the encryption key is also resealed without needing you to enter the recovery key.
If BitLocker is turned off, protection will resume immediately when the PC is restarted, unless the manage-bde command line tool is used to set a reboot count.
If the computer needs to be restarted for software maintenance and two-factor authentication is being used, the BitLocker network unlock feature can be used to provide the second authentication factor when there isn’t an on-premises user to do so.
People have talked about recovery in terms of unexpected or unwanted behavior. But recovery can also be a planned part of the production process, for example to handle access control. BitLocker can be forced into recovery mode before a desktop or laptop computer is given to a new user or moved to a different department or employee in a company.
Evaluating BitLocker Data Get Back
It is advised to test how the recovery process functions for both end users (those who call the helpdesk for the recovery password) and administrators (those who assist the end user in getting the recovery password) before a full BitLocker data recovery process is developed. Before users are faced with a recovery scenario, the “-forcerecovery” command of “manage–bde.exe” is a simple way to walk through the recovery procedure.
- To compel the local computer to recover:
- Choose the Start button, then type cmd.
- Run as administrator can be chosen by right-clicking cmd.exe or the Command Prompt.
- Enter the next command at the command prompt:
Windows CMD – write command: “manage-bde.exe -forcerecovery <BitLockerVolume>
” that’s it.
Forcing a distant machine to restart:
- Choose the Start button, then type cmd.
- Run as administrator can be chosen by right-clicking cmd.exe or the Command Prompt.
- Enter the next command at the command prompt:
Until a TPM protector is implemented or protection is suspended by the user, recovery caused by -forcerecovery lasts through numerous restarts. The -forcerecovery option is not advised when utilizing Modern Standby devices (like as Surface devices) since BitLocker will need to be manually unlocked and disabled from the WinRE environment before the OS can boot up again. See BitLocker Troubleshooting: Continuous reboot loop with BitLocker key recovery on a slate device for additional details.
Organizing the Recovery Process
Consult the company’s most recent guidelines for retrieving sensitive data before beginning the BitLocker password recovery process. How, for instance, does the business handle forgotten Windows passwords? What procedures does the company use to reset smart card PINs? The development of a BitLocker data recovery model can be assisted by using these best practices and pertinent resources (people and tools).
Businesses should think about using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is part of the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance, to manage BitLocker Drive Encryption and BitLocker To Go, which are used to secure data on a lot of computers and removable drives running Windows 11, Windows 10, Windows 8, or Windows 7 operating systems, as well as Windows to Go.
Administrators may provision and monitor encryption for operating systems and fixed drives with MBAM, which makes BitLocker deployments simpler to deploy and administer. Before encrypting fixed disks, MBAM prompts the user. Recovery management is made simpler by MBAM’s management of recovery keys for both fixed and detachable drives. MBAM is a standalone program that may also be used as a component of a Microsoft System Center deployment. Check out Microsoft BitLocker Administration and Monitoring for more details.
A recovery password can be used by users to gain access to encrypted data once a BitLocker key recovery has been started. For the organization, think about self-recovery and password recovery techniques.
When the recovery procedure has been determined:
- Understand how to obtain a recovery password. See:
- Self-recovery
- Recovery password recovery
This study aims to establish a post-recovery protocol, which involves doing an analysis to ascertain the underlying causes of the recovery event and thereafter initiating the process of resetting the recovery password. Please refer to:
- Post-recovery evaluation
Self-recovery
Self-recovery is an option for users who have the recovery password on paper or a removable storage device. It is suggested that the company develop a self-recovery policy. Users should be reminded against bringing a USB flash drive with a password or recovery key to the same location as the PC, especially when traveling. If the laptop and the recovery gear are in the same bag, for instance, an intruder may easily get inside the laptop. Another policy idea is to require users to contact the Helpdesk either before or after attempting self-recovery.
Recovering Lost Passwords
The user must be able to access the recovery password online if they do not have a hard copy or a USB flash drive with them. The PC’s recovery password can be saved in AD DS if it is part of a domain. The recovery password is not automatically saved in AD DS. Prior to using BitLocker on the PC, the correct group policy settings must have been applied in order to back up the recovery password to AD DS. Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption is where you’ll find the BitLocker group policy settings in either the Local Group Policy Editor or the Group Policy Management Console (GPMC). If an authentication method fails or cannot be utilized, access to a BitLocker-protected drive can be restored using the following policy settings.
- Pick a method for decrypting operating system disks that BitLocker has locked down.
- Fix disks encrypted with BitLocker can be recovered in one of three ways.
- Pick a method for decrypting a detachable device that was encrypted using BitLocker.
Click the Save BitLocker key recovery information to Active Directory Domain Services checkbox in each of these policies, and then pick the specific BitLocker data recovery information that you want to store in AD DS. If it is desirable to restrict users from enabling BitLocker unless the machine is connected to the domain and the backup of BitLocker recovery tool information for the drive to AD DS succeeds, check the box labeled “Do not enable BitLocker until recovery information is stored in AD DS.”
Users are strongly encouraged to store their BitLocker data recovery password in their online Microsoft account in the event that the PCs in question are part of a workgroup. It is advised that an online copy of the BitLocker data recovery password be kept in order to assist in preventing the loss of access to data in the event that it is necessary to perform a recovery.
Domain administrators can access BitLocker key recovery passwords for specific computer objects in Active Directory using the BitLocker data Recovery Password Viewer for Active Directory Users and Computers tool.
The list below can be used as a template for developing a recovery method for recovering passwords. The BitLocker data Recovery Password Viewer for Active Directory Users and Computers utility is used in this example method.
- Take note of the user’s PC name.
- Check the user’s identification.
- In AD DS, look for the recovery password.
- Collect data to determine why recovery occurred.
- Provide the user with the recovery password.
Take note of the user’s PC name.
The user’s computer name can be used to find the recovery password in AD DS. If the user does not know the computer’s name, have him or her read the first word of the Drive Label in the BitLocker Drive Encryption Password Entry user interface. This was the computer’s name when BitLocker was enabled, and it is most likely the computer’s current name.
Check the user’s identification.
The individual requesting the recovery password must be validated as an authorized user of the computer. It should also be checked to see if the computer for which the user provided the name is the user’s.
In AD DS, look for the recovery password.
In AD DS, look for the computer object with the same name. Because the names of computer objects are included in the AD DS global catalog, the object should be able to be located even if the forest is multi-domain.
Multiple passwords for recovery
If a computer object in AD DS stores multiple recovery passwords, the name of the BitLocker data recovery information object contains the date the password was created.
To ensure that the proper password is entered and/or to avoid entering the erroneous password, have the user read the eight-character password ID presented in the recovery panel.
Because the password ID is a unique value associated with each recovery password saved in AD DS, a query based on this ID returns the proper password to unlock the encrypted volume.
Collect facts to identify why recovery occurred.
Before providing the user with the recovery password, information should be gathered to help establish why the recovery was required. During the post-recovery study, this information can be used to determine the root cause. See Post-recovery analysis for further information.
Give the user the recovery password.
Because the recovery password is 48 digits lengthy, the user may need to record it by writing it down or typing it on a different computer. To eliminate the security issues associated with an uncontrolled password, while using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it is recovered from the MBAM or Configuration Manager database.
Note: Because the 48-digit recovery password is lengthy and contains a combination of numerals, the user may mishear or mistype it. The boot-time recovery console detects input problems in each 6-digit block of the 48-digit recovery password and allows the user to remedy such errors.
Analysis of the post-recovery phase
When a volume is accessed through the utilization of a recovery password, a record is generated in the event log, and the platform validation measures in the Trusted Platform Module (TPM) are reset to align with the present configuration. The process of unlocking the volume refers to the release of the encryption key, enabling the implementation of real-time encryption during data writing and decryption during data reading. Once the volume has been unlocked, BitLocker exhibits consistent behavior, irrespective of the method via which access was obtained.
In the event of recurrent password recoveries on a computer, an administrator may opt to conduct a post-recovery analysis to ascertain the underlying cause of the recovery. Additionally, the administrator may consider refreshing the BitLocker platform validation to eliminate the need for the user to repeatedly enter a recovery password during each computer startup. To access further details, please refer to:
- Identify the fundamental underlying factor contributing to the process of recuperation.
- Addressing the underlying cause
Objective is to ascertain fundamental cause underlying the process of Recovery.
In the event that a user necessitates drive recovery, it is imperative to promptly ascertain the underlying problem that precipitated the requirement for recovery. Thoroughly examining the condition of the computer system and identifying any signs of unauthorized interference can potentially uncover security risks that have wider ramifications for organizational security.
In certain instances, an administrator possesses the capability to conduct remote investigations to ascertain the underlying factors contributing to the recovery process. However, it may be necessary for the end user to physically transport the computer housing the recovered disk to the site for a more comprehensive analysis of the root cause.
Please provide a review and respond to the following inquiries regarding the organization:
- Which BitLocker protection method is now being utilized, namely TPM, TPM + PIN, TPM + startup key, or startup key only? Which polymerase chain reaction (PCR) profile is currently being utilized on the personal computer (PC)?
- Did the user inadvertently neglect to remember the personal identification number (PIN) or misplace the starter key? In the event of a lost token, where could the token potentially be located?
- If the Trusted Platform Module (TPM) mode was active, may the recovery be attributed to a modification in the boot file?
- If the recovery was initiated by a modification to the boot file, it is important to ascertain whether this modification was a result of an intentional user action, such as a BIOS upgrade, or if it was triggered by the presence of malicious software.
- The most recent instance in which the user was able to successfully initiate the computer is of interest, as well as any potential events or circumstances that may have transpired subsequent to that occurrence, which could have had an impact on the machine’s current state.
- Is it possible that the user may have encountered harmful software or neglected to supervise the computer since the previous successful startup?
Utilizing the BitLocker command-line tool to view the system’s current configuration and protection mode can assist in providing answers to these questions:
Examine the event log in search of activities that can assist explain why the recovery process was started (for instance, if there was a change to the boot file). Both of these skills can be used through the use of remote access.
Find and fix the underlying problem.
Once the root cause of recovery has been identified, BitLocker can be reset to prevent recovery at subsequent boot times. This is doable once the factors contributing to improvement have been identified.
The specifics of this reset can change depending on the underlying problem that necessitated the recovery. The Helpdesk should implement best-practice virus policies in order to respond effectively in the event that the root cause cannot be identified, or in the event that it is suspected that the machine was infected by malicious software or a rootkit.
No Matching PIN
To stop BitLocker from automatically starting recovery on each restart, the PIN must be reset while the user is logged into the machine if they have forgotten it.
To stop the recovery process from continuing if the PIN is not known
- Please use the recovery password to unlock the computer.
- Change your Password:
- When the drive is highlighted, you can press the Change PIN button.
- The option to reset a lost PIN can be found in the BitLocker Drive Encryption dialogue. The signer must now supply administrative credentials if the account used to log in is not an administrator account.
- After entering and verifying the new PIN in the PIN reset dialogue, click Finish to complete the process.
- In the future, when the drive requires unlocking, the new PIN can be used.
missing startup key
If you lost the USB flash drive with the starting key on it, you will need to use the recovery key to open the USB flash drive. Then, a new business can be started up.
To stop further recovery because the startup key was missing
- Log on to the lost startup key PC as an administrator.
- Activate Manage BitLocker.
- Select Save after inserting a clean USB drive onto which the key will be written and choosing Duplicate start up key.
Alterations to Boot files
If the firmware is changed, this error happens. Before making changes to the software, it’s best to turn off BitLocker. After the software update is done, the protection should be turned back on. When you turn off BitLocker, the machine won’t go into recovery mode. But if changes were made while BitLocker security was on, the recovery password can be used to unlock the drive, and the platform validation profile will be changed so that recovery won’t happen again.
BitLocker Device Encryption and Windows RE
BitLocker Device Encryption drives can be accessed again using Windows Recovery Environment (RE). If a PC fails to start up twice, Startup Repair starts immediately. When Startup Repair is immediately started because of a failed boot, it only fixes operating system and driver files if the boot logs or any available crash dumps point to a specific corrupted file. If a device has firmware that supports special TPM measures for PCR[7], the TPM in Windows 8.1 and later versions can verify that Windows RE is a trusted operating environment and release any BitLocker-protected drives if Windows RE has not been updated.
The disks will remain inaccessible until the BitLocker key recovery key is provided if the Windows RE environment has been altered in any way, such as by turning off the TPM. If Startup Repair can’t run automatically from the PC and Windows RE has to be started directly from a repair disk, the BitLocker data recovery key must be given to unlock the drives that are protected by BitLocker.
When a Remove Everything reset from Windows RE is started on a computer that uses TPM + PIN or Password for OS drive protection, Windows RE will also ask for a BitLocker data recovery key. If BitLocker data recovery is started on a device with no keyboard and TPM-only protection, Windows RE will ask for the BitLocker data recovery key, not the boot manager. After entering the key, you can use the Windows RE troubleshooting tools or start Windows regularly.
The BitLocker data recovery screen that Windows RE shows has accessibility tools like a presenter and an on-screen keyboard to help type in the BitLocker data recovery key. If the Windows boot manager asks for the BitLocker data recovery key, these tools may not be available.
Press Windows + CTRL + Enter during BitLocker data recovery in Windows RE to turn on the announcer. Tap a word input control to bring up the on-screen keyboard.
Recovery window for BitLocker
Windows displays a unique recovery message for BitLocker along with a few pointers that show where a key can be located during recovery. These upgrades may be useful to a user during BitLocker key recovery.
Specific recovery message
Beginning with Windows 10, version 1511, BitLocker Group Policy settings enable configuring a unique recovery message and URL on the BitLocker data recovery screen. The URL and custom recovery message can point to the internal IT website, the BitLocker self-service recovery portal, or a support phone number.
BitLocker Drive Encryption > Operating System Drives > Computer Configuration > Administrative Templates > Windows Components is where this policy can be set up via GPO. Set the URL and message for the pre-boot recovery.
The BitLocker CSP can also be set up using mobile device management (MDM), including in Intune:
Check the Example of BitLocker Customized Screen:
Recovery tips for BitLocker keys
Beginning with Windows 10 version 1903, BitLocker metadata has been improved to contain details about the time and location of the backup of the BitLocker key recovery key. Neither a public API nor the user interface make this information available. It is only employed by the BitLocker key recovery screen to provide advice on how to find a volume’s recovery key. On the recovery screen, hints that point to the key’s storage location are visible. Both the current (blue) and legacy (black) recovery screens show hints. The tips apply to both the WinRE unlock screen and the boot manager recovery screen.
Recovery keys should not be printed or saved to a file. Use a cloud-based backup or Active Directory backup as an alternative. Azure Active Directory (Azure AD) and Microsoft Account are both part of cloud-based backup.
BitLocker Key – Package
If the recovery methods described earlier in this document fail to release the volume, the BitLocker Repair tool can be used to decrypt the volume block by block. The application employs the BitLocker key package to recover encrypted encrypted data from severely damaged drives. The recovered data can then be used to recover encrypted data, even if the correct recovery password was unable to access the volume. It is still recommended to record the recovery passphrase. Without the corresponding recovery password, a key bundle cannot be used.
The BitLocker key package is not automatically stored. To save the package in addition to the recovery password in AD DS, the Backup recovery password and key package option must be selected in the group policy settings that govern the recovery method. It is also possible to export the key bundle from a working volume. Retrieve the BitLocker Key Package for more information about exporting key packages.
Read some relevant information:
If you are unable to find BitLocker Recovery Key
Recover Lost BitLocker Key and Password
Unlock Tool for BitLocker Encrypted Drive
BitLocker Key Recovery Repair and Unlock Tool
Without Key and Password Unlock BitLocker Drive
7 thoughts on “What is BitLocker Key Recovery”