BitLocker Recovery via the Self-Service Portal and Helpdesk

BitLocker selfservice or helpdesk recovery

BitLocker recovery is the process in which access to a BitLocker-protected drive is restored in the event the drive doesn’t unlock using its default unlock mechanism. In this article, we shall discuss “Force BitLocker recovery: Perform BitLocker Recovery via the Self-Service Portal and Helpdesk”. Please see Perform BitLocker Recovery Password Rotation in Active Directory, what are the Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery request, and how to Delegate control for BitLocker recovery keys in Active Directory.

Note: To perform self-service recovery, an end user must have physically logged on to the computer (not remotely) at least one time successfully to be able to recover their BitLocker key using the Self-Service Portal. Otherwise, they must use the Helpdesk Portal for key recovery. See below for helpdesk prerequisite as well.

Also, see how to “Force BitLocker Recovery mode: How to unlock BitLocker Protected Drive, and “How to Perform a Self-service Password Reset using the Windows Login Integration Client“.

BitLocker recovery process via the Self-service Portal

The self-service portal is used by organisation staffs to recover their BitLocker keys as part of self serve process without involving the help desk at all.

Note: You can keep tabs on the BitLocker Recovery Request via the MBAM Recovery Audit report. Please see how to Create a web page to visualize the output of BitLocker Script.

Below are some reasons why you may want to get your BitLocker Recovery key. Here are more Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery request, and how to fix BitLocker always prompting for Recovery Key.

BIOS and TPM changed
OS Files Modified and
Lost Pins and Phrases (which is not applicable in our case)

Test on a Physical Device

Launch the Command Prompt or PowerShell window and type the following command <manage-bde -ForceRecovery C:> depending on the drive you wish to initiate the recovery on.

Upon restart, the BitLocker Recovery screen will be prompted.

Here is a guide on “Understanding Microsoft BitLocker Administration and Monitoring Roles“, and H ow to upgrade Veeam Backup & Replication to version 12.2.

Perform Self Service Recovery

Note: If you are experiencing errors due to invalid key ID. Please proceed to ‘What could cause Invalid Key ID when requesting BitLocker Recovery Key” section below for other possible reasons or how to “Resolve Invalid Key ID when requesting BitLocker Recovery Key.

Next. you have to open the following page to perform the self-serve recovery. Please log in using the username associated with the PC that is displaying the BitLocker recovery prompt.

URL for example "xxxxx://techdambam.com/SelfService/Recovery/Index"

Enter the key ID as shown below (You do not need to enter the whole digits). Do not forget to specify a reason for the retrieval.

The BitLocker recovery Key has been successfully retrieved from the Self-service portal as shown below.

Next, proceed to the PC and enter this recovery key as shown below.

Your device will restart and you will once again have access to you PC.

Note: If you are testing on a VM. You may want to disable secure boot and this will prompt the recovery window upon restart as well or follow the same steps discussed above.

Please see how to “Backup existing and new BitLocker Recovery Keys to Active Directory“. Also, see how to Fix no BitLocker Recovery tab in Active Directory.

BitLocker Recovery via the Helpdesk

Note: This section is sub-divided into two groups which are as follow below.

You must be part of at least one of these user groups in AD in order to be able to perform BitLocker recovery via the helpdesk.

Advanced Helpdesk Users: Provides access to all areas of the Administration and Monitoring Website. Users who have this role enter only the recovery key, and not the end user’s domain and user name when helping end-users recover their drives.

If a user is a member of both the MBAM Helpdesk Users group and the MBAM Advanced Helpdesk Users group. The MBAM Advanced Helpdesk Users group permissions override the MBAM Helpdesk Users Group permissions.

Help Desk Users: Provides access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website. Users who have this role must fill in all fields, including the end-users domain and account name, when they use either area.

Note: It will be worth noting that when you perform BitLocker Key Recovery via the Helpdesk or Advanced Helpdesk. The events will be logged (who did what and why) and the BitLocker key will be rotated.

Performing recovery via the Advanced HelpDesk

Note: You will be required to access the URL “xxxxx://techdambam.com/HelpDesk/” and login with the helpdesk credentials.

As you can see below, the User Domain and User ID is not required. Enter the key id and reason for the unlock and click on “Submit”.

Performing recovery via the HelpDesk User Role

As you can see below, the User Domain and User ID is required.

Enter the key id and reason for the unlock and click on “Submit”

After submitting the request.

The recovery key will be revealed and you can now provide the user with this key

Now you can proceed and have the PC recovered as shown

What could cause Invalid Key ID when requesting BitLocker Recovery Key?

Unable to grt Bitlocker recvery key via the selfservice portal 2

One of the reasons could be that the User profile has been deleted from the device and you are trying to use this user to perform BitLocker self-service recovery.

Note: If the device is also non-complaint in MBAM, the user will not be able to perform self-service recovery.

Another reason could be due to last contact date my the device. You can take a look on the Computer or Enterprise Reporting services for more information about the device.

To fix this issue and ensure the MABAM agent is able to communicate with the MBAM server correctly. I will run the command “gpupdate /force” in order to have the policies reapplied. With this, the device will be recognized with the Recovery key ID and was you should be able to perform the self-service recovery.

Note: Even with this issue, you could retrieve the BitLocker recovery key with the helpdesk and from AD when configured to save to AD.

device recognised — Self-service recovery is now possible

FAQs

How to troubleshoot “Error: A device with BitLocker enabled prompts “BitLocker must be turned on to force a recovery volume C:”.

First, determine the BitLocker status via the command line using “manage-bde -status” or over the Reporting Services dashboard. As you can see, a reboot is required. Please use the command shutdown -r to reboot your PC.
BitLocker Warning

Does a deletion of the user profile impact BitLocker self-service recovery via MBAM?

Yes, the local deletion of a user profile can impact the authorisation of MBAM (Microsoft BitLocker Administration and Monitoring) self-service recovery. User profiles on a machine can store important information such as encryption keys, and user-specific settings.

If a user profile is deleted locally associated with that user might also be deleted. This could potentially disrupt access to BitLocker-encrypted drives and the ability to use MBAM self-service recovery. Please see What Is the NTUSER.DAT File in Windows?

If the local profile is deleted and recreated, the new profile may not have the necessary associations with the MBAM service that the old profile had. This could mean that the self-service recovery tool does not recognize the user as authorized to perform the recovery

I hope you found this article on “Force BitLocker Recovery: Perform BitLocker Recovery via the Self-Service Portal and Helpdesk” very useful. Please feel free to leave a comment below.