BitLocker is a Microsoft encryption product designed to protect user data on a computer. If there is a problem with BitLocker, the BitLocker recovery mode will be prompted. If you do not have a working recovery key for the BitLocker command prompt, you will not be able to access the computer. BitLocker encryption is often intentionally enabled by or on behalf of a user with full administrator access to your device. This user can be you, another user, or an organization that manages your device.
The BitLocker encryption process occurs in the background and often goes unnoticed by users until a recovery event occurs. If you wish to Disable BitLocker, please see these guides: How to correctly disable Microsoft BitLocker Administration and Monitoring encrypted devices, how to view BitLocker Disk Encryption Status in Windows, how to query MBAM to display the report for BitLocker Recovery for a specified period of time, and how to determine why an MBAM protected device is non-compliant.
Why was this error prompted?
Note: For Dell devices, Dell BIOS updates suspends BitLocker before flashing, so a BitLocker recovery event cannot occur due to the firmware update.
There are a number of reasons why the BitLocker recovery mode will be prompted. Some of these are as follow
But for some other device types, BIOS update can trigger a BitLocker recovery event because the PCR changes between when Windows is running and when the BIOS is updated. If the computer enters recovery mode, it is likely because an external drive is connected because the boot drive enumeration is changed. I will be covering various reason for BitLocker recovery prompt in another guide. Here is a guide on how to deploy MBAm client as part of Windows deployment process.
Storage options for BitLocker recovery keys
Recovery keys can be saved in different ways depending on the version of Windows installed. Before we proceed in resolving this issue, you must have previously saved your BitLocker recovery key in one of these locations below. Here is a guide on how and where to find your BitLocker recovery key in Windows.
- Microsoft account
- On a printout
- USB flash drive
- Azure Active Directory account.
- Copied and saved in a text file on another PC. You can remotely connect to the PC and view the text file from another device. Make sure that each backed-up recovery key is accessible from another computer or phone. You can access a remote PC this way without remotely connecting to it.
Also, if you are using MBAM to manage BitLocker, this will be saved in the MBAM database and you will be able to query the database via the Help Desk or Advanced help desk, and the self-service portal. You can determine if you have MBAM installed from the following link.
Additionally, if you have configured the BitLocker recovery keys to be saved to Active Directory, you will also be able to find your keys there. Here is a guide on how to backup existing and new BitLocker recovery keys to Active Directory using a simple script, and how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers. If you have enabled BitLocker for a device, this will be found under he BitLocker Recovery Tab as shown below.
If you have the keys saved in AD, you will require Domain Admin rights to view this and also install the BitLocker Drive Encryption Administration Utilities on a Server.
I do not have a BitLocker Recovery Key Saved (Not in my Microsoft account too)
If you do not have a working recovery key for the BitLocker command prompt, you will not be able to access the computer.
Note: No PC manufacturer can help you bypass the BitLocker recovery process because this is a Microsoft encryption security product. Therefore, they do not store this key!
The BitLocker Setup process forces the creation of a recovery key at the time of activation, and if you are unable to find a required BitLocker recovery key, you’ll need to reinstall your device. Reinstalling your device removes all files or have it re-installed entirely via the WDS and MDT. Here is a guide on how to Install ADK, MDT, and WDS: Deploy Windows images via Microsoft Deployment Toolkit and Windows Deployment Services.
I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.