Requiring Bit-Locker key when it isnt activated after Win 11 update

Topic

New Reply

Bit-locker isn’t activated on my Win 11 machine, but after an update this week it is asking for the key and wont let me past it. Then today I get a call from someone else who had the same issue. One is a Dell desktop and one a Lenovo laptop. Something isn’t right here. I have never seen this and to have it twice in one week? I called Dell and they said just to wipe clean and start over. This needs to be investigated.

 

Brad

Reply | Quote

Replies

Try shutting it down and doing a hard reboot.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Tried that several times. Can’t even do a restore to last good config or undo last updates.

Wants a BL key that has never existed because BL is not Active.

Brad

Reply | Quote

BL is active, just not yet secure.
If you boot from a USB recovery you should be able to see the partition (C drive) is not formatted / unknown format, which indicates it is encrypted.
If you can see the partition and files then you can backup prior to reinstalling.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

New machines that meet the Bitlocker requirements automatically have BL turned on and the disk encrypted, but the key is stored locally until you log into an MS account. It is then transferred to the account – from where it can be recovered.
If something triggers a change to BL (Windows patches can do this) the machine will prompt for the BL recovery key.

If the machine been used with an MS account you should be able to login to the account via a browser and retrieve the key.

cheers, Paul

2 users thanked author for this post.

Vincenzo, windbg

Reply | Quote

It is not with a MS Account. I never do that. And my 3 Dell’s I just purchased have BL but it is not activated. 2 different machines in just a few days. Microsoft updates are broken.

Brad

 

1 user thanked author for this post.

Average-Jane

Reply | Quote

How To Remove BitLocker Protection From System Drive C: Without The BitLocker Recovery Key Or Password.

Reply | Quote

That article says you can’t recover and have to reinstall from scratch.

cheers, Paul

Reply | Quote

BradH wrote:

It is not with a MS Account.

Has it ever signed in to a work or school account?

Finding your BitLocker recovery key in Windows

Reply | Quote

So if you just purchased them do you remember seeing what updates were installed?  As the specific patches for secure boot – which I recommend not installing – may trigger issues.

When did you buy it?

What exact model?

Let me see if I can bring this to someone’s attention.

 

Secure boot patch 5012170

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Nit picking, I honestly don’t believe it’s the normal security updates.  It IS and CAN BE the secure boot updates.  Which if he just purchased the machines, more than likely he would have caught those.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Some OEMs (Dell for one) sell new computers with Bitlocker turned on by default. The disk IS encrypted, even if you DO NOT log in with a Microsoft ID.

I know this to be a fact b/c it has happened to me on several occasions. I have seen it go through the un-encryption process when I turn Bitlocker off. And I have said before that this is a case of “not IF, but WHEN” it will happen to the unsuspecting User.

But, I also remember these facts:
If you have a Local ID (have not logged in with a MS ID so that the key is stored on MS Servers), the key is stored in plain text on the computer. If you boot the computer from a rescue disk you can access it. (I do not remember the path where it is stored). This information has been discussed on this site in the past, but I do not have the time to go look for it now. I suspect that my comment “not IF, but WHEN” may be one way to search for it.

[Moderator edit] trimmed personalized comments

Reply | Quote

PKCano wrote:

If you have a Local ID (have not logged in with a MS ID so that the key is stored on MS Servers), the key is stored in plain text on the computer. If you boot the computer from a rescue disk you can access it.

Hi BradH:

According to the process.st article How To Get BitLocker Recovery Key Without Microsoft Account you can run a manage-bde command in an elevated command prompt with Administrator rights to view your BitLocker recovery key. The MS Learn article manage-bde protectors confirms the correct syntax is manage-bde -protectors -get <drivelettter> (where <driveletter> is normally C: if that is your encrypted drive). Unfortunately, I don’t think you will be able start your computer in Safe Mode with Command Prompt (according to the MS support article Start Your PC in Safe Mode in Windows “If you’ve encrypted your device, you’ll need your BitLocker key to start in safe mode“) but if you can manage boot your computer from a rescue disk as PKCano suggested in post # 2607398 you might be able to open an elevated command prompt and run this manage-bde command.

You might also find some helpful information in my 13-Sep-2023 post # 2587029 in Wheeler’s BitLocker Recovery Key  which includes a links to the Microsoft support article Finding Your BitLocker Recovery Key in Windows (which Susan mentioned in post # 2587060) and Dell support article Automatic Windows Device Encryption or BitLocker on Dell Computers. In that particular case Wheeler’s daughter had a new Dell computer that began prompting them to enter their BitLocker recovery key at boot-up, and they eventually found the recovery key after she logged in to the Azure AD (active directory) account at https://aka.ms/aadrecoverykey that she created when she first signed in to her school email account.

I know of several users who purchased a new Dell computer who had no idea that BitLocker drive encryption was automatically enabled on their machine at Control Panel | System and Security | BitLocker Drive Encryption and had never printed out their BitLocker recovery key or backed it up to a safe location like a removable USB stick. For example, see K_User’s thread BitLocker: Need a Key But I Never Installed It in the Dell forum about a problem many users encountered back in August 2022 when installation of KB5012170 (Security Update for Secure Boot DBX) triggered a prompt asking users to enter their 48-digit BitLocker recovery key at boot-up. Users who could not retrieve their BitLocker recovery key from a Microsoft Account eventually discovered that re-starting their system 3 or 4 times in succession cleared this prompt.
————
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3693 * Firefox v120.0.1 * Microsoft Defender v4.18.23100.2009-1.1.23100.2009 * Malwarebytes Premium v4.6.6.294-1.0.2201 * Macrium Reflect Free v8.0.7690

1 user thanked author for this post.

Average-Jane

Reply | Quote

From my reading, when Bitlocker is suspended the plaintext keys are stored on the encrypted drive. To decrypt the drive and access the keys you need to supply the recovery keys, which you can’t obtain because the drive is encrypted – catch 22.

The only solution is to make regular image backups – as protection from any sort of catastrophic failure.
The alternative is a full data backup, reinstall Windows and programs, then restore the data.

cheers, Paul

Reply | Quote

@RetiredGeek, here’s a challenge. Can you write a simple PowerShell script that checks the BL status and warns users if it is suspended / give the user an option to save the recovery keys?
We can make this a recommended / mandatory “new machine” action in the Newsletter.

cheers, Paul

Reply | Quote

Paul,

You can use this PS to determine if the drive is encrypted or not.

Clear-Host

$DriveLetter = $env:SystemDrive  #Returns the Windows Drive

  $BLArgs = @{Namespace = "Root\cimv2\Security\MicrosoftVolumeEncryption"
              Class     = "Win32_EncryptableVolume"
              Filter    = "DriveLetter = '$DriveLetter'"
             }
  $BitLocker = Get-WmiObject @BLArgs

  if(-not $BitLocker)  {
    LogMessage("No BitLocker object")
    return $False
  }

  Switch ($BitLocker.GetProtectionStatus().protectionStatus) {
   0 { "Fully Decrypted"        }
   1 { "Fully Encrypted"        }
   2 { "Encryption in Progress" }
   3 { "Decryption in Progress" }
   4 { "Encryption Paused"      }
   5 { "Decryption Paused"      }
   Default { "Status Unknown"   }
  }  

However, The only machine I have that will do BitLocker is my main driver and I’m not amenable to doing testing with it at least as far as BitLocker is involved.

I’d also appreciate anyone with an encrypted drive to test this script to see if it returns the correct results. Especially, the “in progress” and “Paused” status.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

This works for me, in Admin PowerShell, with a correct “Fully Encrypted” result.

But I think, for the purposes of detecting initialized but suspended automatic device encryption, it needs to be combined with ProtectionStatus:

Get BitLocker Status using PowerShell

Reply | Quote

b,

If you look at the code that’s exactly what it is checking.

Here’s the link I used to decipher this: Link to MS Learn Documentation

The information in that link differs from your link. Typical MS the right hand doesn’t know what the left one is doing!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I don’t think your script includes whether protection is currently suspended.

Perhaps GetProtectionStatus method on that page would show that?

Reply | Quote

I’d say look in the gui and ensure it’s off (if someone isn’t powershell savvy)

I’ll put it in the setup document.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Agreed. It’s quite obvious at This PC in File Explorer:

FIX: Yellow Triangle Warning on Drive C: in Windows

(But I’d say turn it on, not off! )

Reply | Quote

Paul T wrote:

From my reading, when Bitlocker is suspended the plaintext keys are stored on the encrypted drive. To decrypt the drive and access the keys you need to supply the recovery keys, which you can’t obtain because the drive is encrypted – catch 22.

This is incorrect. Nothing on that page refers to device encryption, which is the only form of Bitlocker which is automatically applied to a device.

Reply | Quote

Have you had an instance where a machine that you know never had bitlocker enabled, yet you were faced with entering a recovery key where you had no such thing?

I’ve had several Surface devices where the key WAS backed up that has popped a recovery key after various updates.

I’ve had my Dad’s computer where bitlocker is enabled pop a request for the recovery key (I know where it is).

I’ve had (several years back) a Server where the data drives had a bitlocker key enabled but I never enabled bitlocker on the C drive itself.  Couldn’t log in one weekend and found that the server had rebooted after patches and was asking for a recovery key.  I tried the ones for the data drives and that did nothing. I ended up having to reinstall the C drive on that server, which fortunately did not touch the data drive, reenabling HyperV, getting the server back functional again.  I didn’t find guidance at the time to see if I could find a ‘suspended’ backup key somewhere, I had to reinstall.

I can personally attest that someone can get into a situation where they know for a fact that bitlocker was not enabled, yet a recovery key is being asked for.

 

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Average-Jane, Alex5723, PKCano

Reply | Quote

I’ve dealt with many requests for recovery keys, but never for an unencrypted disk.

Reply | Quote

Susan Bradley wrote:

Have you had an instance where a machine that you know never had bitlocker enabled, yet you were faced with entering a recovery key where you had no such thing?

I have no use for encryption, and I disabled Bitlocker in Services long ago.  After every update/upgrade I always check Services first to ensure that Bitlocker remains disabled, and that Windows Search (indexing) remains disabled.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Where a disk is encrypted by the OEM, which seems to now be the case on suitable machines, the keys are stored locally and Bitlocker in “not enabled” until the keys are backed up to “somewhere”.
Unfortunately for us there seem to be cases where something changes on the machine that invalidates the Bitlocker setup and it asks for the recovery key. If you are using a local user account / not yet logged into somewhere that backs up the key, you do not have the recovery key to enter.

cheers, Paul

Reply | Quote

Hey Y’all,

Here’s a second iteration of the program obtaining data by a different method.

Clear-Host

# Initialize an empty array to hold the table
$DrvEncInfo = New-Object System.Collections.ArrayList
$Encrypt    = manage-bde.exe -status

$LineCnt = 0

Do {

  $LNParts = $Encrypt[$($LineCnt)].Split(" ")


  If ($LNParts[0] -eq "Volume") {
   
    [Void]$DrvEncInfo.Add([PSCustomObject]@{
        DriveLtr   = $LNParts[1]
        VolumeName = $Encrypt[$(($LineCnt+=1))]
        Size       = (($Encrypt[$(($LineCnt+=2))].Split(":")
                          )[1].Trim()).Split(" ")[0]
        ConvStatus = 
            ($Encrypt[$(($LineCnt+=2))].Split(":"))[1].Trim()
        Percent    = 
            ($Encrypt[$(($LineCnt+=1))].Split(":"))[1].Trim()
        ProtStatus = 
            ($Encrypt[$(($LineCnt+=2))].Split(":"))[1].Trim()
    })
  
    $LineCnt += 4

  } #End If
  
  Else { $LineCnt += 1 }

} While ($LineCnt -lt ($Encrypt.Count))

$fmtEncrypt = 
   @{Expression={$_.DriveLtr};
     Label="Drv`nLtr"; Width=3; Align="Center"},
   @{Expression={$_.VolumeName};
     Label="Volume`nName";Width=13; ALign="Left"},
   @{Expression={$_.Size};
     Label="Sizen\GB"; Width=10; Align="Right"},
   @{Expression={$_.ConvStatus};
     Label="`nConversion Status"; Width=20; Align='Left'},
   @{Expression={$_.Percent};
     Label="PercentnEncrypted"; Width=9; Align="Right"},
   @{Expression={$_.ProtStatus};
     Label="`nProtection Status"; Width=20; Align='Left'}

$DrvEncInfo | ft $fmtEncrypt

Results:

This seems like it provides a more detailed look at the status.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

windbg

Reply | Quote

“Get-BitLockerVolume” seems to get similar results, but with additional info.

And get the key: (Get-BitLockerVolume -MountPoint C).KeyProtector

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

Paul,

Same Information…much simpler code!

Clear-Host

$DrvEncInfo = Get-BitLockerVolume

$fmtEncrypt = 
   @{Expression={$_.MountPoint};
     Label="Drv`nLtr"; Width=3; 
     Align="Center"},
   @{Expression={$_.VolumeType};
     Label="Volume`nName";Width=18; 
     ALign="Left"},
   @{Expression={
     ([Math]::Round(($_.CapacityGB),2))};
     Label="Size`n\GB"; Width=10; 
     Align="Right"},
   @{Expression={$_.VolumeStatus};
     Label="`nConversion Status"; 
     Width=20; Align='Left'},
   @{Expression={$_.EncryptionPercentage};
     Label="Percent`nEncrypted"; Width=9;
     Align="Right"},
   @{Expression={$_.ProtectionStatus};
     Label="Protection`nStatus"; Width=20;
     Align='Center'}

$DrvEncInfo | ft $fmtEncrypt

So Microsoft has now provided us with three different ways to get at this information!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

windbg

Reply | Quote

This worked fine for me.

(It renamed my C: drive to “=”Protection`nStatus”; Width=20;”, but I now realize that was because I mistakenly ran it in a Command Prompt tab of Terminal before switching to a PowerShell tab.)

Reply | Quote

Just had someone call me with another Windows 11 computer asking for BitLocker key. Something is really wrong with Windows 11. Seen this 4 times in a week.

Brad

1 user thanked author for this post.

Average-Jane

Reply | Quote

All we need now is a new W11 machine to test it on.
Anyone getting an early xmas pressie and have time to play?

cheers, Paul

Reply | Quote

Please don’t throw out multiple people’s experience by asking for “one more proof.”

1 user thanked author for this post.

satrow

Reply | Quote

I am sure it is a thing, as I wrote earlier.
What I am asking is for a W11 machine that has BL enabled from new that has not been through the OOBE process. It can then be backed up and setup with a local account for testing RG’s script. Once it’s up to scratch we can do a “check your BL status on your new W11 machine” article for the newsletter.

cheers, Paul

Reply | Quote

I have a new windows 11 we got for the office, local account. One that has no data on it, we just use it for meetings, etc.  Let me grab it this week (but not tonight) and see if it has the staged bitlocker.  It is one of the newish ARM based machines so in case that adds a wrinkle.  Let me get the patching analysis behind me and I can look at it.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Average-Jane

Reply | Quote

I have pro not home (rats) bit it CLEARLY has DEVICE ENCRYPTION pending but not Bitlocker.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Average-Jane

Reply | Quote

If it is pending the disk should be encrypted – probably test by booting Linux?

What do these 2 PS commands return?
Get-BitLockerVolume
(Get-BitLockerVolume -MountPoint C).KeyProtector

cheers, Paul

Reply | Quote

See Add-BitLockerKeyProtector (BitLocker) | Microsoft Learn for details on the BitLocker KeyProtector. This being Microsoft documentation you can be led down a deep rabbit hole as almost nothing is straight forward.

--Joe

Reply | Quote

Susan, can you give us the format for the data returned by (Get-BitLockerVolume -MountPoint C).KeyProtector?

cheers, Paul

Reply | Quote

Very interesting thread on the drive encryption and a Macrium image (without enabling bitlocker support when created). Worth the read.

https://www.elevenforum.com/t/all-partitions-are-bitlocker-on-win-11-home-sl.20324/

 

4 users thanked author for this post.

lmacri, windbg, satrow, PKCano

Reply | Quote

[Average-Jane]

Hoping someone can help me here.

I recently set up a Windows 11 Home laptop for my mother. (Lenovo, if it matters).  I set it up with a local account, as in, I connected to the internet, input a bogus Microsoft Account address, “flubbed” the password, and got redirected to local account creation.  So no microsoft account ever touched this laptop.  There is a local account with administrator privileges.

I checked Disk Management, and it says her C: drive is Bitlocker encrypted.  The control panel has no dedicated bitlocker or disk encryption tools anymore as those have been redirected to Settings.  I checked Settings > Privacy and Security > Device Encryption.  Encryption is ON, but choosing to “Bitlocker Drive Encryption” redirects to the Microsoft Store, and “Find Your Bitlocker Recovery Key” redirects to a web page where the advice hinges on the key being in your Microsoft Account.

I tried the prompt mentioned earlier
(Command Prompt, manage-bde -protectors C: -get and PowerShell, Get-BitLockerVolume)
(How To Get Bitlocker Recovery Key Without Microsoft Account (process.st))

But it said access was denied and to make sure I have administrator privileges, even though I was using Command Prompt and Powershell from a Local Administrator account.

Is there any other way to find the Bitlocker key without resorting to a Microsoft account?  And if the key cannot be elucidated without involving a Microsoft Account, is it advisable to turn off Device Encryption in Settings?

• This reply was modified 1 year, 5 months ago by Average-Jane. Reason: more detail

Reply | Quote

Average-Jane wrote:

I tried the prompt mentioned earlier
(Command Prompt, manage-bde -protectors C: -get and PowerShell, Get-BitLockerVolume)

(How To Get Bitlocker Recovery Key Without Microsoft Account (process.st))

But it said access was denied and to make sure I have administrator privileges, even though I was using Command Prompt and Powershell from a Local Administrator account.

Did you;
“Open Command Prompt: Press the Windows key + X and select “Command Prompt (Admin)”?

If you open This PC in File Explorer, does the C: drive icon have a yellow triangle with exclamation mark like this?

Reply | Quote

Thanks for the quick reply.  I had not, but when I ran as administrator and ran the same command, it said there were no keys…

Reply | Quote

What does the first PowerShell command, Get-BitLockerVolume (which also has to be run from PowerShell (Admin)) show for C: under Volume Status, Key Protector and Protection Status?

Reply | Quote

Volume Status = FullyEncrypted

Key Protector = ” {} ”

Protection Status = Off

Reply | Quote

That means the disk has been encrypted BUT protection is suspended and no key required until an administrator signs in with a Microsoft Account (when the key would be stored to that account).

How does your C: drive appear under This PC in File Explorer? (icons or warnings)

If you’re determined not to use a Microsoft Account you should turn off device encryption, as it will never be fully activated otherwise.

1 user thanked author for this post.

Average-Jane

Reply | Quote

The C: drive does not have any lock icons or warning flags.

Thank you for the advice, b!

1 user thanked author for this post.

b

Reply | Quote

Average-Jane wrote:

Volume Status = FullyEncrypted

To encrypt the disk there must be keys.
The MS blurb says they are stored on disk when BL is suspended, which I take to mean the small (~100MB) FAT32 boot partition.
If the keys are actually stored on the encrypted disk then a configuration change / firmware update may invalidate the TPM config and require manual input of the recovery keys, as we are seeing.

Edit
It seems the clear keys are stored on the encrypted volume in the BL metadata (which is not encrypted).
This means that Windows should never ask for the recovery key as long as the clear key is present, so issues we are seeing imply that the recovery key has been automatically backed up somewhere and the clear key removed.
If this is the case then a warning to users if the clear key is present, or a simple recovery key export attempt should be standard practice for all new machines, with regular checks if the disk remains encrypted but not protected to remind the user of the potential for data loss.

cheers, Paul

Reply | Quote

According to this : https://www.partitionwizard.com/disk-recovery/bitlocker-recovery-key.html

Recovery key may be found in a txt file by simply searching for ‘BitLocker Recovery Key’

Or, use cracking apps :

BitCracker
Passware Kit
Thegrideon Software…

https://www.minitool.com/partition-disk/forgot-bitlocker-password.html

Reply | Quote

They both say you can TRY, but neither is talking about automatic device encryption which does not store the recovery key locally.

Reply | Quote

Paul T wrote:

Edit
It seems the clear keys are stored on the encrypted volume in the BL metadata (which is not encrypted).
This means that Windows should never ask for the recovery key as long as the clear key is present, so issues we are seeing imply that the recovery key has been automatically backed up somewhere and the clear key removed.

Yes. For instance;

Tip: During COVID we have seen a lot of customers who were suddenly working or attending school from home and may have been asked to sign into a work or school account from their personal computer. If that was your experience too, then it’s possible your work or school has a copy of your BitLocker recovery key.

Finding your BitLocker recovery key in Windows

Reply | Quote

Regardless of the reason BitLocker is activated or where the recovery key has been stored, the issue is that users are not informed and have no recovery option when things go pear shaped.

The least we can do is attempt to inform users via some simple commands as part of their initial setup / backup strategy.

cheers, Paul

3 users thanked author for this post.

satrow, PKCano, windbg

Reply | Quote