Windows 10 Bitlocker

Hi All,  

Bit of a strange one here but will explain.

My work Lenovo laptop had Bitlocker on however I planned to upgrade to an SSD, was advised to remove bitlocker first so did and cloned the HDD to ssd and all was great.

Re-enabled bitlocker (right click C drive enable SSD) chose a PIN and it asked where to send the recovery key.. I chose cloud as want sure where else to.

NB. We have a company bitlocker server...

Whilst it was encrypting (about ten mins in) I had some windows updates / bios update so went ahead and did that (probably not my best move)

Bios update finished fine, reboot and asked for PIN which I enter but then asking for recovery ID as hardware changed (probably bios update)

Now, my company are saying the laptop probably didn’t check in to their bitlocker server in time so they don’t have the key stored, and I’ve checked my Microsoft account and that doesn’t have it either. The laptop still accepts my pin but won’t get past the recovery key stage.

Any ideas what to do? I’ve heard stories about going into bios or special UEFI to disable security of some kind?

Literally I’m stuck and this is a totally legitimate issue which I’m not sure if even logging a case with Microsoft can be resolved?

Shaun Okeefe CITPIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PeeterBIT Support TechCommented:
So, Recovery Key not in Bitlocker Server (MBAM ?) nor in your Microsoft account ..... any chance it's in Active Directory ??

If not, do you still have original HDD ??  If so, might be easiest just redo all steps ..... i.e refit original drive, turn off Bitlocker,  reclone to SSD , remove original Hdd and swap in SSD..... but disconnect from network and temporarily pause/defer Windows Updates until SSD fully encrypted ..
Shaun Okeefe CITPIT ManagerAuthor Commented:
Sorry to sound dumb. But if it's not on the MBAM server where do I look in AD?

Unfortunately the old HDD has been formatted and reused.

Cliff GaliherCommented:
You're likely looking at doing a clean install or cloning again from the old (decrypted) drive. The Bios update essentially locked you out of your encrypted drive and you don't have the key. It's gone. So the current encrypted drive is basically permanently locked so decrypting it at this point is not possible. But overwriting it is still an option.

The upshot is that you disabled bitlocker on your old drive before you cloned it. So you can recover the data from there.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

I've never used MBAM, so can't say anything about how that works, but for backing up info to AD there's a group policy setting to require backing up the recovery key to AD before encryption can be turned on (why your company would allow the drive to be encrypted without an immediate backup of the key is a mistake).  This info is attached to the computer account object.  Two ways to see if it's there in ADUC:
 - choose the view options to show computer objects as containers, then the presence of the recovery key can be seen inside the computer object container
 - with BitLocker management tools installed on the machine where you're launching ADUC, when you look at the properties of a computer object there is a BitLocker Recovery tab where you can view the key.
"Now, my company are saying the laptop probably didn’t check in to their bitlocker server in time" - get them for that. That should not even be possible. You can setup bitlocker GPOs that disallow encryption unless the key is backed up successfully, first. They need to activate that setting.

If you don't want to clone again, you can try to revert the bios update. Some machines allow that and chances are good that recovery mode will be left afterwards and your PIN will work again.
It is funny in the first place that it asks for a PIN at all and that would indicate it is not even in recovery mode, because normally, it would ask for the recovery key, without asking for the PIN, first.

So here's an alternate version of what might have happened: if your TPM is in TPM 2.0 mode but you installed windows with MBR partitioning and not in GPT partitioning, then exactly these symptoms would be seen at the first reboot after encrypting. It would ask for the PIN, the PIN would not work on the TPM 2.0, and that's why the only protector that's left (the rec. key) would be asked for.
TPM 2.0 requires UEFI based partitioning. Please verify that.
Shaun Okeefe CITPIT ManagerAuthor Commented:

When I go into the bios (thinkpad setup) under security under security chip, it's set to Discrete TPm

I do have option for intel PTT which says version 2.0
If I attempt to select this it says all keys will be cleared from security chip.

You're right when I boot up the laptop first thing it asks is my PIN which I Enter, then it says enter recovery ID
You should find out two things:
1 is "discrete TPM" also 2.0 (don't think so)?
2 can you downgrade your bios somehow (I bet you can, at least from a bootable USB OS like "windows to go")?
Shaun Okeefe CITPIT ManagerAuthor Commented:
key was backed up in Azure online somehow !

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.