• Requiring Bit-Locker key when it isnt activated after Win 11 update

    Home » Forums » AskWoody support » Windows » Windows 11 » Windows 11 version 23H2 » Requiring Bit-Locker key when it isnt activated after Win 11 update

    Author
    Topic
    #2607063

    Bit-locker isn’t activated on my Win 11 machine, but after an update this week it is asking for the key and wont let me past it. Then today I get a call from someone else who had the same issue. One is a Dell desktop and one a Lenovo laptop. Something isn’t right here. I have never seen this and to have it twice in one week? I called Dell and they said just to wipe clean and start over. This needs to be investigated.

     

    Brad

    Viewing 10 reply threads
    Author
    Replies
    • #2607065

      Try shutting it down and doing a hard reboot.

      Susan Bradley Patch Lady/Prudent patcher

      • #2607074

        Tried that several times. Can’t even do a restore to last good config or undo last updates.

        Wants a BL key that has never existed because BL is not Active.

        Brad

        • #2607097

          BL is active, just not yet secure.
          If you boot from a USB recovery you should be able to see the partition (C drive) is not formatted / unknown format, which indicates it is encrypted.
          If you can see the partition and files then you can backup prior to reinstalling.

          cheers, Paul

          1 user thanked author for this post.
    • #2607071

      New machines that meet the Bitlocker requirements automatically have BL turned on and the disk encrypted, but the key is stored locally until you log into an MS account. It is then transferred to the account – from where it can be recovered.
      If something triggers a change to BL (Windows patches can do this) the machine will prompt for the BL recovery key.

      If the machine been used with an MS account you should be able to login to the account via a browser and retrieve the key.

      cheers, Paul

      2 users thanked author for this post.
    • #2607398

      Some OEMs (Dell for one) sell new computers with Bitlocker turned on by default. The disk IS encrypted, even if you DO NOT log in with a Microsoft ID.

      I know this to be a fact b/c it has happened to me on several occasions. I have seen it go through the un-encryption process when I turn Bitlocker off. And I have said before that this is a case of “not IF, but WHEN” it will happen to the unsuspecting User.

      But, I also remember these facts:
      If you have a Local ID (have not logged in with a MS ID so that the key is stored on MS Servers), the key is stored in plain text on the computer. If you boot the computer from a rescue disk you can access it. (I do not remember the path where it is stored). This information has been discussed on this site in the past, but I do not have the time to go look for it now. I suspect that my comment “not IF, but WHEN” may be one way to search for it.

      [Moderator edit] trimmed personalized comments

      • #2607413

        If you have a Local ID (have not logged in with a MS ID so that the key is stored on MS Servers), the key is stored in plain text on the computer. If you boot the computer from a rescue disk you can access it.

        Hi BradH:

        According to the process.st article How To Get BitLocker Recovery Key Without Microsoft Account you can run a manage-bde command in an elevated command prompt with Administrator rights to view your BitLocker recovery key. The MS Learn article manage-bde protectors confirms the correct syntax is manage-bde -protectors -get <drivelettter> (where <driveletter> is normally C: if that is your encrypted drive). Unfortunately, I don’t think you will be able start your computer in Safe Mode with Command Prompt (according to the MS support article Start Your PC in Safe Mode in WindowsIf you’ve encrypted your device, you’ll need your BitLocker key to start in safe mode“) but if you can manage boot your computer from a rescue disk as PKCano suggested in post # 2607398 you might be able to open an elevated command prompt and run this manage-bde command.

        You might also find some helpful information in my 13-Sep-2023 post # 2587029 in Wheeler’s BitLocker Recovery Key  which includes a links to the Microsoft support article Finding Your BitLocker Recovery Key in Windows (which Susan mentioned in post # 2587060) and Dell support article Automatic Windows Device Encryption or BitLocker on Dell Computers. In that particular case Wheeler’s daughter had a new Dell computer that began prompting them to enter their BitLocker recovery key at boot-up, and they eventually found the recovery key after she logged in to the Azure AD (active directory) account at https://aka.ms/aadrecoverykey that she created when she first signed in to her school email account.

        I know of several users who purchased a new Dell computer who had no idea that BitLocker drive encryption was automatically enabled on their machine at Control Panel | System and Security | BitLocker Drive Encryption and had never printed out their BitLocker recovery key or backed it up to a safe location like a removable USB stick. For example, see K_User’s thread BitLocker: Need a Key But I Never Installed It in the Dell forum about a problem many users encountered back in August 2022 when installation of KB5012170 (Security Update for Secure Boot DBX) triggered a prompt asking users to enter their 48-digit BitLocker recovery key at boot-up. Users who could not retrieve their BitLocker recovery key from a Microsoft Account eventually discovered that re-starting their system 3 or 4 times in succession cleared this prompt.
        ————
        Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3693 * Firefox v120.0.1 * Microsoft Defender v4.18.23100.2009-1.1.23100.2009 * Malwarebytes Premium v4.6.6.294-1.0.2201 * Macrium Reflect Free v8.0.7690

        1 user thanked author for this post.
    • #2607674

      From my reading, when Bitlocker is suspended the plaintext keys are stored on the encrypted drive. To decrypt the drive and access the keys you need to supply the recovery keys, which you can’t obtain because the drive is encrypted – catch 22.

      The only solution is to make regular image backups – as protection from any sort of catastrophic failure.
      The alternative is a full data backup, reinstall Windows and programs, then restore the data.

      cheers, Paul

      • #2607675

        @RetiredGeek, here’s a challenge. Can you write a simple PowerShell script that checks the BL status and warns users if it is suspended / give the user an option to save the recovery keys?
        We can make this a recommended / mandatory “new machine” action in the Newsletter.

        cheers, Paul

        • #2608561

          Paul,

          You can use this PS to determine if the drive is encrypted or not.

          Clear-Host
          
          $DriveLetter = $env:SystemDrive  #Returns the Windows Drive
          
            $BLArgs = @{Namespace = "Root\cimv2\Security\MicrosoftVolumeEncryption"
                        Class     = "Win32_EncryptableVolume"
                        Filter    = "DriveLetter = '$DriveLetter'"
                       }
            $BitLocker = Get-WmiObject @BLArgs
          
            if(-not $BitLocker)  {
              LogMessage("No BitLocker object")
              return $False
            }
          
            Switch ($BitLocker.GetProtectionStatus().protectionStatus) {
             0 { "Fully Decrypted"        }
             1 { "Fully Encrypted"        }
             2 { "Encryption in Progress" }
             3 { "Decryption in Progress" }
             4 { "Encryption Paused"      }
             5 { "Decryption Paused"      }
             Default { "Status Unknown"   }
            }  
          

          However, The only machine I have that will do BitLocker is my main driver and I’m not amenable to doing testing with it at least as far as BitLocker is involved.

          I’d also appreciate anyone with an encrypted drive to test this script to see if it returns the correct results. Especially, the “in progress” and “Paused” status.

          May the Forces of good computing be with you!

          RG

          PowerShell & VBA Rule!
          Computer Specs

        • #2608610

          I’d say look in the gui and ensure it’s off (if someone isn’t powershell savvy)

          I’ll put it in the setup document.

          Susan Bradley Patch Lady/Prudent patcher

      • #2607694

        From my reading, when Bitlocker is suspended the plaintext keys are stored on the encrypted drive. To decrypt the drive and access the keys you need to supply the recovery keys, which you can’t obtain because the drive is encrypted – catch 22.

        This is incorrect. Nothing on that page refers to device encryption, which is the only form of Bitlocker which is automatically applied to a device.

        • #2608617

          Have you had an instance where a machine that you know never had bitlocker enabled, yet you were faced with entering a recovery key where you had no such thing?

          I’ve had several Surface devices where the key WAS backed up that has popped a recovery key after various updates.

          I’ve had my Dad’s computer where bitlocker is enabled pop a request for the recovery key (I know where it is).

          I’ve had (several years back) a Server where the data drives had a bitlocker key enabled but I never enabled bitlocker on the C drive itself.  Couldn’t log in one weekend and found that the server had rebooted after patches and was asking for a recovery key.  I tried the ones for the data drives and that did nothing. I ended up having to reinstall the C drive on that server, which fortunately did not touch the data drive, reenabling HyperV, getting the server back functional again.  I didn’t find guidance at the time to see if I could find a ‘suspended’ backup key somewhere, I had to reinstall.

          I can personally attest that someone can get into a situation where they know for a fact that bitlocker was not enabled, yet a recovery key is being asked for.

           

          Susan Bradley Patch Lady/Prudent patcher

          3 users thanked author for this post.
          • #2608750

            I’ve dealt with many requests for recovery keys, but never for an unencrypted disk.

          • #2608819

            Have you had an instance where a machine that you know never had bitlocker enabled, yet you were faced with entering a recovery key where you had no such thing?

            I have no use for encryption, and I disabled Bitlocker in Services long ago.  After every update/upgrade I always check Services first to ensure that Bitlocker remains disabled, and that Windows Search (indexing) remains disabled.

            Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
            We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

    • #2607789

      Where a disk is encrypted by the OEM, which seems to now be the case on suitable machines, the keys are stored locally and Bitlocker in “not enabled” until the keys are backed up to “somewhere”.
      Unfortunately for us there seem to be cases where something changes on the machine that invalidates the Bitlocker setup and it asks for the recovery key. If you are using a local user account / not yet logged into somewhere that backs up the key, you do not have the recovery key to enter.

      cheers, Paul

    • #2608743

      Hey Y’all,

      Here’s a second iteration of the program obtaining data by a different method.

      Clear-Host
      
      # Initialize an empty array to hold the table
      $DrvEncInfo = New-Object System.Collections.ArrayList
      $Encrypt    = manage-bde.exe -status
      
      $LineCnt = 0
      
      Do {
      
        $LNParts = $Encrypt[$($LineCnt)].Split(" ")
      
      
        If ($LNParts[0] -eq "Volume") {
         
          [Void]$DrvEncInfo.Add([PSCustomObject]@{
              DriveLtr   = $LNParts[1]
              VolumeName = $Encrypt[$(($LineCnt+=1))]
              Size       = (($Encrypt[$(($LineCnt+=2))].Split(":")
                                )[1].Trim()).Split(" ")[0]
              ConvStatus = 
                  ($Encrypt[$(($LineCnt+=2))].Split(":"))[1].Trim()
              Percent    = 
                  ($Encrypt[$(($LineCnt+=1))].Split(":"))[1].Trim()
              ProtStatus = 
                  ($Encrypt[$(($LineCnt+=2))].Split(":"))[1].Trim()
          })
        
          $LineCnt += 4
      
        } #End If
        
        Else { $LineCnt += 1 }
      
      } While ($LineCnt -lt ($Encrypt.Count))
      
      $fmtEncrypt = 
         @{Expression={$_.DriveLtr};
           Label="Drv`nLtr"; Width=3; Align="Center"},
         @{Expression={$_.VolumeName};
           Label="Volume`nName";Width=13; ALign="Left"},
         @{Expression={$_.Size};
           Label="Sizen\GB"; Width=10; Align="Right"},
         @{Expression={$_.ConvStatus};
           Label="`nConversion Status"; Width=20; Align='Left'},
         @{Expression={$_.Percent};
           Label="PercentnEncrypted"; Width=9; Align="Right"},
         @{Expression={$_.ProtStatus};
           Label="`nProtection Status"; Width=20; Align='Left'}
      
      $DrvEncInfo | ft $fmtEncrypt
      
      

      Results:

      Vers2BitLocker-Tests-Result

      This seems like it provides a more detailed look at the status.

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      1 user thanked author for this post.
      • #2608853

        “Get-BitLockerVolume” seems to get similar results, but with additional info.

        And get the key: (Get-BitLockerVolume -MountPoint C).KeyProtector

        cheers, Paul

        1 user thanked author for this post.
        • #2608951

          Paul,

          Same Information…much simpler code!

          Clear-Host
          
          $DrvEncInfo = Get-BitLockerVolume
          
          $fmtEncrypt = 
             @{Expression={$_.MountPoint};
               Label="Drv`nLtr"; Width=3; 
               Align="Center"},
             @{Expression={$_.VolumeType};
               Label="Volume`nName";Width=18; 
               ALign="Left"},
             @{Expression={
               ([Math]::Round(($_.CapacityGB),2))};
               Label="Size`n\GB"; Width=10; 
               Align="Right"},
             @{Expression={$_.VolumeStatus};
               Label="`nConversion Status"; 
               Width=20; Align='Left'},
             @{Expression={$_.EncryptionPercentage};
               Label="Percent`nEncrypted"; Width=9;
               Align="Right"},
             @{Expression={$_.ProtectionStatus};
               Label="Protection`nStatus"; Width=20;
               Align='Center'}
          
          $DrvEncInfo | ft $fmtEncrypt
          

          Get-BitLockerVolume-Test-Results

          So Microsoft has now provided us with three different ways to get at this information!

          May the Forces of good computing be with you!

          RG

          PowerShell & VBA Rule!
          Computer Specs

          1 user thanked author for this post.
          • #2608991

            This worked fine for me.

            (It renamed my C: drive to “=”Protection`nStatus”; Width=20;”, but I now realize that was because I mistakenly ran it in a Command Prompt tab of Terminal before switching to a PowerShell tab.)

    • #2608817

      Just had someone call me with another Windows 11 computer asking for BitLocker key. Something is really wrong with Windows 11. Seen this 4 times in a week.

      Brad

      1 user thanked author for this post.
    • #2608963

      All we need now is a new W11 machine to test it on.
      Anyone getting an early xmas pressie and have time to play?

      cheers, Paul

      • #2608992

        Please don’t throw out multiple people’s experience by asking for “one more proof.”

        1 user thanked author for this post.
        • #2609107

          I am sure it is a thing, as I wrote earlier.
          What I am asking is for a W11 machine that has BL enabled from new that has not been through the OOBE process. It can then be backed up and setup with a local account for testing RG’s script. Once it’s up to scratch we can do a “check your BL status on your new W11 machine” article for the newsletter.

          cheers, Paul

          • #2611203

            I have a new windows 11 we got for the office, local account. One that has no data on it, we just use it for meetings, etc.  Let me grab it this week (but not tonight) and see if it has the staged bitlocker.  It is one of the newish ARM based machines so in case that adds a wrinkle.  Let me get the patching analysis behind me and I can look at it.

            Susan Bradley Patch Lady/Prudent patcher

            1 user thanked author for this post.
    • #2609319

      Very interesting thread on the drive encryption and a Macrium image (without enabling bitlocker support when created). Worth the read.

      https://www.elevenforum.com/t/all-partitions-are-bitlocker-on-win-11-home-sl.20324/

       

      Never Say Never

      4 users thanked author for this post.
    • #2612365

      Hoping someone can help me here.

      I recently set up a Windows 11 Home laptop for my mother. (Lenovo, if it matters).  I set it up with a local account, as in, I connected to the internet, input a bogus Microsoft Account address, “flubbed” the password, and got redirected to local account creation.  So no microsoft account ever touched this laptop.  There is a local account with administrator privileges.

      I checked Disk Management, and it says her C: drive is Bitlocker encrypted.  The control panel has no dedicated bitlocker or disk encryption tools anymore as those have been redirected to Settings.  I checked Settings > Privacy and Security > Device Encryption.  Encryption is ON, but choosing to “Bitlocker Drive Encryption” redirects to the Microsoft Store, and “Find Your Bitlocker Recovery Key” redirects to a web page where the advice hinges on the key being in your Microsoft Account.

      I tried the prompt mentioned earlier
      (Command Prompt, manage-bde -protectors C: -get and PowerShell, Get-BitLockerVolume)
      (How To Get Bitlocker Recovery Key Without Microsoft Account (process.st))

      But it said access was denied and to make sure I have administrator privileges, even though I was using Command Prompt and Powershell from a Local Administrator account.

      Is there any other way to find the Bitlocker key without resorting to a Microsoft account?  And if the key cannot be elucidated without involving a Microsoft Account, is it advisable to turn off Device Encryption in Settings?

      • This reply was modified 2 months, 1 week ago by Average-Jane. Reason: more detail
      • #2612376

        I tried the prompt mentioned earlier
        (Command Prompt, manage-bde -protectors C: -get and PowerShell, Get-BitLockerVolume)

        (How To Get Bitlocker Recovery Key Without Microsoft Account (process.st))

        But it said access was denied and to make sure I have administrator privileges, even though I was using Command Prompt and Powershell from a Local Administrator account.

        Did you;
        “Open Command Prompt: Press the Windows key + X and select “Command Prompt (Admin)”?

        If you open This PC in File Explorer, does the C: drive icon have a yellow triangle with exclamation mark like this?

        Suspended device encryption

        • #2612379

          Thanks for the quick reply.  I had not, but when I ran as administrator and ran the same command, it said there were no keys…

          • #2612384

            What does the first PowerShell command, Get-BitLockerVolume (which also has to be run from PowerShell (Admin)) show for C: under Volume Status, Key Protector and Protection Status?

            • #2612386

              Volume Status = FullyEncrypted

              Key Protector = ” {} ”

              Protection Status = Off

            • #2612390

              That means the disk has been encrypted BUT protection is suspended and no key required until an administrator signs in with a Microsoft Account (when the key would be stored to that account).

              How does your C: drive appear under This PC in File Explorer? (icons or warnings)

              If you’re determined not to use a Microsoft Account you should turn off device encryption, as it will never be fully activated otherwise.

              1 user thanked author for this post.
            • #2612391

              The C: drive does not have any lock icons or warning flags.

              Thank you for the advice, b!

              1 user thanked author for this post.
              b
    • #2612434

      Volume Status = FullyEncrypted

      To encrypt the disk there must be keys.
      The MS blurb says they are stored on disk when BL is suspended, which I take to mean the small (~100MB) FAT32 boot partition.
      If the keys are actually stored on the encrypted disk then a configuration change / firmware update may invalidate the TPM config and require manual input of the recovery keys, as we are seeing.

      Edit
      It seems the clear keys are stored on the encrypted volume in the BL metadata (which is not encrypted).
      This means that Windows should never ask for the recovery key as long as the clear key is present, so issues we are seeing imply that the recovery key has been automatically backed up somewhere and the clear key removed.
      If this is the case then a warning to users if the clear key is present, or a simple recovery key export attempt should be standard practice for all new machines, with regular checks if the disk remains encrypted but not protected to remind the user of the potential for data loss.

      cheers, Paul

      • #2612454

        According to this : https://www.partitionwizard.com/disk-recovery/bitlocker-recovery-key.html

        Recovery key may be found in a txt file by simply searching for ‘BitLocker Recovery Key’

        Or, use cracking apps :

        BitCracker
        Passware Kit
        Thegrideon Software…

        https://www.minitool.com/partition-disk/forgot-bitlocker-password.html

        • #2612458

          They both say you can TRY, but neither is talking about automatic device encryption which does not store the recovery key locally.

      • #2612496

        Edit
        It seems the clear keys are stored on the encrypted volume in the BL metadata (which is not encrypted).
        This means that Windows should never ask for the recovery key as long as the clear key is present, so issues we are seeing imply that the recovery key has been automatically backed up somewhere and the clear key removed.

        Yes. For instance;

        Tip: During COVID we have seen a lot of customers who were suddenly working or attending school from home and may have been asked to sign into a work or school account from their personal computer. If that was your experience too, then it’s possible your work or school has a copy of your BitLocker recovery key.

        Finding your BitLocker recovery key in Windows

        • #2612514

          Regardless of the reason BitLocker is activated or where the recovery key has been stored, the issue is that users are not informed and have no recovery option when things go pear shaped.

          The least we can do is attempt to inform users via some simple commands as part of their initial setup / backup strategy.

          cheers, Paul

          3 users thanked author for this post.
    Viewing 10 reply threads
    Reply To: Requiring Bit-Locker key when it isnt activated after Win 11 update

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: