Link to home
Create AccountLog in
Avatar of Shaun Okeefe CITP
Shaun Okeefe CITPFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Windows 10 Bitlocker

Hi All,  

Bit of a strange one here but will explain.

My work Lenovo laptop had Bitlocker on however I planned to upgrade to an SSD, was advised to remove bitlocker first so did and cloned the HDD to ssd and all was great.

Re-enabled bitlocker (right click C drive enable SSD) chose a PIN and it asked where to send the recovery key.. I chose cloud as want sure where else to.

NB. We have a company bitlocker server...

Whilst it was encrypting (about ten mins in) I had some windows updates / bios update so went ahead and did that (probably not my best move)

Bios update finished fine, reboot and asked for PIN which I enter but then asking for recovery ID as hardware changed (probably bios update)

Now, my company are saying the laptop probably didn’t check in to their bitlocker server in time so they don’t have the key stored, and I’ve checked my Microsoft account and that doesn’t have it either. The laptop still accepts my pin but won’t get past the recovery key stage.

Any ideas what to do? I’ve heard stories about going into bios or special UEFI to disable security of some kind?

Literally I’m stuck and this is a totally legitimate issue which I’m not sure if even logging a case with Microsoft can be resolved?

Cheers
Shaun
Avatar of PeeterB
PeeterB
Flag of Ireland image

So, Recovery Key not in Bitlocker Server (MBAM ?) nor in your Microsoft account ..... any chance it's in Active Directory ??

If not, do you still have original HDD ??  If so, might be easiest just redo all steps ..... i.e refit original drive, turn off Bitlocker,  reclone to SSD , remove original Hdd and swap in SSD..... but disconnect from network and temporarily pause/defer Windows Updates until SSD fully encrypted ..
Avatar of Shaun Okeefe CITP

ASKER

Sorry to sound dumb. But if it's not on the MBAM server where do I look in AD?

Unfortunately the old HDD has been formatted and reused.

Cheers
Shaun
Avatar of Cliff Galiher
You're likely looking at doing a clean install or cloning again from the old (decrypted) drive. The Bios update essentially locked you out of your encrypted drive and you don't have the key. It's gone. So the current encrypted drive is basically permanently locked so decrypting it at this point is not possible. But overwriting it is still an option.

The upshot is that you disabled bitlocker on your old drive before you cloned it. So you can recover the data from there.
I've never used MBAM, so can't say anything about how that works, but for backing up info to AD there's a group policy setting to require backing up the recovery key to AD before encryption can be turned on (why your company would allow the drive to be encrypted without an immediate backup of the key is a mistake).  This info is attached to the computer account object.  Two ways to see if it's there in ADUC:
 - choose the view options to show computer objects as containers, then the presence of the recovery key can be seen inside the computer object container
 - with BitLocker management tools installed on the machine where you're launching ADUC, when you look at the properties of a computer object there is a BitLocker Recovery tab where you can view the key.
"Now, my company are saying the laptop probably didn’t check in to their bitlocker server in time" - get them for that. That should not even be possible. You can setup bitlocker GPOs that disallow encryption unless the key is backed up successfully, first. They need to activate that setting.

If you don't want to clone again, you can try to revert the bios update. Some machines allow that and chances are good that recovery mode will be left afterwards and your PIN will work again.
It is funny in the first place that it asks for a PIN at all and that would indicate it is not even in recovery mode, because normally, it would ask for the recovery key, without asking for the PIN, first.

So here's an alternate version of what might have happened: if your TPM is in TPM 2.0 mode but you installed windows with MBR partitioning and not in GPT partitioning, then exactly these symptoms would be seen at the first reboot after encrypting. It would ask for the PIN, the PIN would not work on the TPM 2.0, and that's why the only protector that's left (the rec. key) would be asked for.
TPM 2.0 requires UEFI based partitioning. Please verify that.
Hiya,

When I go into the bios (thinkpad setup) under security under security chip, it's set to Discrete TPm

I do have option for intel PTT which says version 2.0
If I attempt to select this it says all keys will be cleared from security chip.

You're right when I boot up the laptop first thing it asks is my PIN which I Enter, then it says enter recovery ID
You should find out two things:
1 is "discrete TPM" also 2.0 (don't think so)?
2 can you downgrade your bios somehow (I bet you can, at least from a bootable USB OS like "windows to go")?
ASKER CERTIFIED SOLUTION
Avatar of Shaun Okeefe CITP
Shaun Okeefe CITP
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer