Bitlocker recovery key

Topic

New Reply

I am in the process of setting up my daughter’s new Windows 11 computer.  She turns it on yesterday and the system is asking for her Bitlocker recovery key.  My daughter hasn’t been using the computer as the school year just started so she couldn’t have even accidentally enabled Bitlocker.   One of the ways around Bitlocker is to reset the computer.  I chose to reset the computer and not keep any of my files.  That step takes you to a screen that says – there was a problem resetting the computer and your only option is to click cancel.  How did Bitlocker get enabled and more importantly how do I get around it?  I don’t know if this is related, but the first thing I did with this computer was to try to get rid of the bundled McAfee Antivirus.  I used Revo Uninstaller to remove it, but when I rebooted, it was still there.  So I just thought I would let it expire and enable Windows defender.  Well all of the warnings about McAfee expiring went in my trash so I never saw them.   Could that have triggered Bitlocker?

Reply | Quote

Replies

When did you buy the computer/how did you buy the computer and is there a Microsoft account used on it?

McAfee would not have triggered this.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Some new computers come with Bitlocker enabled by default even if you don’t use a Microsoft ID.
The first time that happened to me, I was appalled. Fortunately, I was able to remove the encryption before the the User got locked out.

Reply | Quote

As I understand it, it’s not fully bitlocker, it’s device encryption. It may look the same but bitlocker won’t be enabled without either a Microsoft account or a Azure AD.  If she’s joined that computer to a school’s Microsoft azure she may have inadvertantly enabled bitlocker.

You CAN have device encryption on a home/local user account https://www.dell.com/support/kbdoc/en-us/000124701/automatic-windows-device-encryption-bitlocker-on-dell-systems

The end result is that you may not be aware of where that recovery key is no matter which rock/hard place you are at.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

Note: BitLocker automatic device encryption is enabled only after users sign in with a Microsoft Account or an Azure Active Directory account. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

Note: BitLocker automatic device encryption is enabled only after users sign in with a Microsoft Account or an Azure Active Directory account.

Negative.
I do not set up MS accounts on new computers. But when I have disabled Bitlocker on the by-default encrypted new computers, I have watched it go through the process of un-encrypt the drive.

1 user thanked author for this post.

cyberSAR

Reply | Quote

Yep. One of the first things I do now is check and decrypt the drive on new machines.

1 user thanked author for this post.

PKCano

Reply | Quote

As I recall drive encryption will have a similar appearance.  I’ll have to see if I can find a machine (or set one up) and do a comparison article.

With “staged” bitlocker where someone at one time has logged into a Microsoft account, the key will be backed up there and is just waiting for a MSA account to fire it off.  I have literally seen computers where an IT consultant or support person has signed in with THEIR MSA account to set something up.

I just know that Local accounts will not get bitlocker. But that’s not to say that something/someone has not signed in with a MS account along the way. Often that is hard to determine.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

New computer that I ordered from OEM. NO ONE has logged in with ANY account. Out of the box, I create a LOCAL ID – and the computer is encrypted by default.

This has happened to me multiple times. And I have seen it on Users’ computers that I have worked on – they have no clue. It is a disaster waiting to happen for the average Consumer/User that is non-techie. It is not IF, it’s WHEN.

Reply | Quote

Initialized but suspended until an admin Microsoft account signs in.

Reply | Quote

But the disk WAS encrypted. Don’t care if they call that Bitlocker or not. The problem is the same. It is encrypted.

Reply | Quote

PKCano wrote:

It is encrypted.

BUT SUSPENDED.

You’ve been saying “It is not IF, it’s WHEN.” for more than a year now.

Why has no one been locked out of a disk by automatic device encryption yet?

Reply | Quote

Device encryption is not the same as bitlocker but it can look like it’s bitlocker as there will be a padlock on the drive.

https://www.kapilarya.com/fix-device-encryption-is-temporarily-suspended-in-windows-10

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

Invariably the problem in this is when someone gets locked out there is no way to get back in and confirm that somehow a Microsoft account was set up along the way and bitlocker did get fully set up.

With kids signing into edu accounts – that’s an Azure AD account and bamn, there goes bitlocker and that bitlocker key may be up there.  However you have no idea that Bitlocker really was enabled.

So the user insists it wasn’t him/her and has no idea where the recovery key is.

 

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

You CAN have device encryption on a home/local user account https://www.dell.com/support/kbdoc/en-us/000124701/automatic-windows-device-encryption-bitlocker-on-dell-systems

That article doesn’t refer to any account types, but the link included near the top at;

“Dell computers are not encrypted at the factory but follow the recommendation from Microsoft to support automatic device encryption. BitLocker Device Encryption”
says;

” … a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created.”

Reply | Quote

That should go on to say “If a user signs into ANY Microsoft account or Azure AD including Educational accounts, the bitlocker key will be silently set up and stored”

Many times folks don’t know it’s up there.

https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6

The best bet is to log into ANY Microsoft account you can think of that you’ve logged into on that device and see if it’s hiding up there.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

That should go on to say “If a user signs into ANY Microsoft account or Azure AD including Educational accounts, the bitlocker key will be silently set up and stored”

It does.

But it doesn’t say you can have device encryption on a home/local account.

BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts,

Reply | Quote

https://www.windowscentral.com/how-enable-device-encryption-windows-10-home#:~:text=How%20to%20Enable%20Device%20Encryption%20Windows%2010%20To,section%2C%20click%20the%20Turn%20on%20button.%20See%20More.

https://www.thewindowsclub.com/microsoft-windows-10-device-encryption-key

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

To turn on Windows device encryption

1. Sign in to Windows with an administrator account (you may have to sign out and back in to switch accounts). For more info, see Create a local or administrator account in Windows 10.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

https://www.windowscentral.com/how-enable-device-encryption-windows-10-home#:~:text=How%20to%20Enable%20Device%20Encryption%20Windows%2010%20To,section%2C%20click%20the%20Turn%20on%20button.%20See%20More.

https://www.thewindowsclub.com/microsoft-windows-10-device-encryption-key

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

The first and third links there are about manual turning on of device encryption.

But the second link, like the Dell link you posted earlier, is about automatic device encryption. That’s what can’t happen without a Microsoft (admin) account, and it says so.

Reply | Quote

I have only a local account on my new laptop. The settings showed it was encrypted but since I never used a Microsoft account, the key was stored in clear on the laptop. I found a procedure to find that key and copy it. Then I went to the settings and clicked “disable bitlocker” and Windows then proceeded to decrypt the drive. It took around 10-15 minutes. So the drive was indeed encrypted, but the key was accessible in clear.

1 user thanked author for this post.

cyberSAR

Reply | Quote

Andy M wrote:

I found a procedure to find that key and copy it. Then I went to the settings and clicked “disable bitlocker” and Windows then proceeded to decrypt the drive.

Why did you need to copy the key?

Reply | Quote

Hi Wheeler:

What is the make and model of your  daughter’s computer, and does it have  a Home or Professional edition of Windows 11?

See the MS support article Finding your BitLocker Recovery Key in Windows. If any user signs in on this computer with a Microsoft Account they should log in at https://account.microsoft.com/devices/recoverykey from another device to see if their recovery key is stored there.  Here’s an old screenshot from my Microsoft Account when BitLocker drive encryption was turned on at Control Panel | System and Security | BitLocker Drive Encryption on my Win 10 Pro laptop (which is now turned off):

If your daughter’s computer has a Win 10 or Win 11 Professional OS it’s possible they inadvertently agreed to have BitLocker enabled when she originally set up her computer during the OOBE (Out Of Box Experience). I recall being asked if I wanted to enable BitLocker encryption on my Win 10 Pro computer the first time I powered it on after purchase and stepped thorough the initial setup. Note that users will see this OOBE setup process after reinstalling the operating system as well.

If your daughter’s computer supports the Modern Standby sleep state (which most newer computers now do – see my post # 2444880 in “Modern” Standby in Newer PCs on how to check if your computer supports Modern Standby / S0 Low Power Idle) then it’s also possible that BitLocker drive encryption was automatically enabled by Windows. The MS support article Overview of BitLocker Device Encryption in Windows states in part that:

“Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11. Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices.”

Dell also has a support article at Automatic Windows Device Encryption or BitLocker on Dell Computers that has a list of key hardware requirements.  Many other computer manufacturers like HP, etc. have similar articles on their support site.

I know of several users who purchased a new Dell computer who had no idea that BitLocker drive encryption was enabled on their machine at Control Panel | System and Security | BitLocker Drive Encryption and had never printed out their BitLocker recovery key or backed it up to a safe location like a removable USB stick. For example, see the thread BitLocker: Need a Key But I Never Installed It in the Dell forum about a problem many users encountered back in August 2022 when installation of KB5012170 (Security Update for Secure Boot DBX) triggered a prompt asking users to enter their 48-digit BitLocker recovery key at boot-up. Users who could not find their BitLocker recovery key in their Microsoft Account eventually discovered that re-starting their system 3 or 4 times in succession cleared this prompt.
————
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3324 * Firefox v117.0.1 * Microsoft Defender v4.18.23080.2006-1.1.23080.2005 * Malwarebytes Premium v4.6.1.280-1.0.2117 * Macrium Reflect Free v8.0.7279

Reply | Quote

I’ve hit this on my Surface.  Mere patching after those @#$@$ secure boot patches will trigger Bitlocker recovery process. Rebooted a second time and it didn’t ask for it again.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Wow!  Thanks for all your help!  A lot to reply to.  First things first.  It’s a Dell computer ordered online directly from Dell website.  Naturally, it is a new school so I am not sure about Azure.   She did an online school last year and doesn’t remember setting up a Microsoft account but..  Will check on that, but had to return that computer to the online school at the end of the school year in May.  I remember reading an article Woody wrote.  It was a checklist of what to do when setting up a new Windows 10 computer.  One of his suggestions was to enable system restore.  That would have gotten me out of this mess.  Anyway,  if she did set up a Microsoft account, I’m sure she doesn’t remember the password.  Would there be a reset password link?

Reply | Quote

Potentially.  Or a reset code sent to a phone number.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Wheeler wrote:

It’s a Dell computer ordered online directly from Dell website….if she did set up a Microsoft account, I’m sure she doesn’t remember the password. Would there be a reset password link?

Hi Wheeler:

During the initial OOBE (Out Of Box Experience) setup of a new Windows 11 computer there is a trick that allows users to set up Windows with a local account instead of a Microsoft Account (see Step # 3 of Susan Bradley’s Windows 11 Setup Tips for Consumers about entering a fake email address during the setup) but I suspect that most home consumers enter the email associated with their existing Microsoft Account or create a new Microsoft Account if they don’t already have one during the OOBE setup. If they prefer to sign in to Windows with a local account on a regular basis (i.e., each time they log in after a system restart) most home consumers will typically create that local account after the initial OOBE setup is complete as instructed in the MS support article Create a Local User or Administrator Account in Windows that Susan mentioned in post # 2587190 and set that local user account as their default profile.

If you daughter has created a Microsoft Account and forgot the password then see the MS support article Reset a Forgotten Microsoft Account Password.
—————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3324 * Firefox v117.0.1 * Microsoft Defender v4.18.23080.2006-1.1.23080.2005 * Malwarebytes Premium v4.6.2.281-1.0.2131 * Macrium Reflect Free v8.0.7279

Reply | Quote

aha Azure was the culprit.  Thanks everyone!

1 user thanked author for this post.

lmacri

Reply | Quote