Serial Key Bitlocker Recovery Every Restart
Bitlocker Process - 2 bek (startup) keys and one recovery key in AntiVirus, Firewalls and System Security I don't know if this what should happen but I was watching the process of key storage as I went through the BitLocker encryption process. Sign up for free ElcomSoft Password Recovery Software newsletter. 19 Responses to “Breaking BitLocker Encryption: Brute Forcing the Backdoor (Part I)”. My product is the HP Pavilion x2, serial number: 5CG5444FNB. My computer rebooted, and now it's asking for a BitLocker recovery key. The key ID is D6F4F796. I've never even heard of BitLocker, and did not use a Microsoft email, I used a different one so I can't have a recovery key. Bitlocker recovery key for every reboot 07:23 AM. Graham, thanks for reply. Re: backup, definitely, I do image backups, i use paragon hard disk suite, full drive image. And I can't get it to allow more than one PIN attempt before it requires the bitlocker recovery key. I want to reset the TPM security, so that it can tolerate.
My name is Tanner Slayton and I am a Sr. Support Escalation Engineer for Microsoft on the Windows Core Team. I am writing today to shed some light on a common Bitlocker problem that we see.
* While you can accomplish most tasks via the Bitlocker Control Panel Applet, I am going to be using the manage-bde commands from an elevated command prompt.
Specific operations or actions will cause Bitlocker to go into Recovery Mode and ask you to enter the 48-digit Recovery Key. This can be caused by several things, and a complete list can be viewed here , but today I am going to go over the most common issues.
Scenario # 1:When you are using a Laptop or Desktop computer and do not have the BIOS Boot order with the OS HDD listed as the first boot device. The reason for this is the boot device makes up part of the system measurement used by Bitlocker and this must remain consistent to validate the system status and unlock BitLocker. (I.e. if you have the DVD-ROM drive listed first and had a bootable media inserted, this can cause the system measurement to change.)Some firmware will also treat PXE network boot as a change in boot order – even when the user does not choose network boot. Changing from a wireless to wired network can trigger a recovery event.Putting the HDD first in boot order generally eliminates these issues.
Resolution:
oSuspend Bitlocker drive encryption by typing “manage-bde -protectors -disable c:” from an elevated command prompt.
oGo into the BIOS and change the Boot Order so the OS HDD is first in the list.
oBy default from most hardware vendors, the HDD is not the first boot device.
oIf you have a laptop with a docking station, make sure that it is plugged into the docking station, in order to make sure that the external devices presented by the docking station are present in BIOS.
oBoot into the Operating System and run “manage-bde -protectors -enable c:“
Scenario # 2:When you are either deploying a new system or encrypting the drive for the first time. You might pause the Bitlocker encryption process, in order to speed up the performance or while performing other tasks, so that encryption can run later or you need more than the 6 GB worth of free space to continue deploying the system.When you run “manage-bde -pause c:” you are pausing the drive encryption of C:, but not the Bitlocker protectors on the system.
You might say to yourself, if I run “manage-bde -status c:” I see that the protection is off on that drive. The reason you see this is that the protection for the drive is not yet completed, but the clear text key still exists.
Volume C: []
[OS Volume]
Size:37.17 GB
BitLocker Version:Windows 7
Conversion Status:Encryption Paused
Percentage Encrypted: 3%
Encryption Method:AES 128 with Diffuser
Protection Status:Protection Off <— Where it shows “Protection Off”
Lock Status:Unlocked
Identification Field: None
Resolution:
oWhen you need to pause the encryption, whether for performance or drive space reasons, you need to run “manage-bde -pause c:”
oAfter encryption has been paused, you will want to run “manage-bde -protectors -disable c:”
oOnce you have completed your tasks and wish to start the encryption process again you can run “manage-bde -resume c:”
oOnce the encryption is complete, or if you have completed your tasks, you will then want to run “manage-bde -protectors -enable c:”
Serial Key Bitlocker Recovery Every Restart Download
Scenario # 3:The BIOS / TPM firmware are out of date on the systems.
Resolution:
Microsoft Account Bitlocker Recovery Key
oSuspend Bitlocker drive encryption “manage-bde –protectors –disable c:”
oUpdate the BIOS on the system
oIf there is a TPM Firmware update, please follow the vendor installation instructions.
oReboot the Operating System and run “manage-bde –protectors –enable c:”
Scenario # 4:When you are installing additional language packs onto the system, and selecting the option to apply the language settings to all users and system accounts. This causes a locale change in the BCD (Boot Configuration Database), which Bitlocker with TPM interprets as a boot attack.
Resolution:
oSuspend Bitlocker drive encryption “manage-bde –protectors –disable c:”
oAdd language packs to the system and make any language settings.
oResume Bitlocker drive encryption “manage-bde –protectors –enable c:”
Scenario # 5:When you create or modify any of the partitions that reside on the O/S drive.
Resolution:
oSuspend Bitlocker drive encryption “manage-bde –protectors –disable c:”
oShrink, expand, or create any partitions on the drive.
oResume Bitlocker drive encryption “manage-bde –protectors –enable c:”
I want to thank you for your time today and hope that this information was helpful.
Tanner Slayton
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
