BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. It provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later (2.0) as at the time of writing this guide. Device manufacturers install the TPM as a hardware component in many newer computers. It collaborates with BitLocker to safeguard user data and verify the integrity of a computer that may have been offline. Please refer to these related guides: How to clear, enable or disable TPM in Windows via the BIOS or UEFI, MBAM reports cannot be accessed because it could not load folder contents, BitLocker Drive Encryption architecture and implementation types on Windows,
If your computer lacks TPM 1.2 or later, you can employ BitLocker to encrypt the OS drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume hibernation. Since Windows 8, an OS volume password safeguards the volume on TPM-less computers for the operating system. Both option do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
Here are some relevant guides: How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to clear the TPM via the management console or Windows Defender Center App, and MBAM reports automatic E-mail notification: How to create MBAM Enterprise and Compliance, and Recovery Audit reports.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. You may also want to seethis guides: “Implemented MBAM? Here is how to hide the Default BitLocker Drive Encryption item in the Windows Control Panel, and how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers.
Unlock drive via Control Panel
The drive below shows an encrypted and locked drive. To unlock and unencrypt, you need to use its recovery key to unlock and restore functionality. Kindly refer to these related guides on BitLocker Keys recovery. How to backup existing and new BitLocker recovery keys to Active Directory using a simple script. And how to delegate control for Bitlocker recovery keys in Active Directory.
Since the drive we wish to decrypt is locked, will have to right-click on the drive and then select the ‘Unlock Drive’ to unlock it.
You can configure the saving of Recovery keys on USBs, Active Directory, or MBAM as needed.
– Then, enter the password and click “Unlock” to unlock the drive. This 48-character recovery password will decrypt the drives, granting access to the volume.
If this device was to be procted by MBAM, you can get this key via the MBAM helpdesk, database, or selfservice recovery portal!
As shown below, the Drive is unlocked and ready for use. I recommend you check these guides: How to disable Microsoft BitLocker Administration and Monitoring encrypted devices. Also how to deploy Microsoft BitLocker Administration and Monitoring Tool. How to Uninstall your current version of MBAM and run setup again.
Unlock drive via Command Prompt
Could you also unlock a fixed drive protected by BitLocker from an elevated Command Prompt? All you need to do is type this command and press Enter.
manage-bde -unlock d: -passwordWhen prompted, type the BitLocker password for this drive and hit Enter. It will unlock your drive immediately.
I hope you found this blog post on unlocking a fixed drive protected by BitLocker helpful. Please let me know in the comment session if you have any questions.
