BitLocker: need a key but I never installed it

All I know for sure is that my hard drive was encrypted when I used it. And it wasn't me who set up the encryption.

The message I received was a standard BitLocker blue screen asking for a password. There was a link to Microsoft account, but again - because I didn't set up BitLocker my Microsoft account didn't contain any password for it.

---

@nlecomtewrote:

Hi Alan,

thanks for your answer.

I'm exactly in the same situation as those guys. I've never installed bitlocker (and apparently it's not been pushed through the active directory) and therefore never get the key.

But today my laptop crashed so I wanted to perform a restore or login in safe mode but I'm unable to to all this because I need to go through bitlocker first. And I can go further as I've no key.

You'll probably understand that you answer suggesting to reinstall Windows, wipping the data is not acceptable as I've valuable data on my drive which can't be lost.

Can you explain why bitlocker is installed by default on our laptops?

thanks in advance for your answer.

regards

Nicolas

---

Hi Nicolas, 

@Saltgrass has touched on a few details regarding Bitlocker already. Essentially it's a security feature designed to prevent unauthorised access to data files on systems. Bitlocker is enabled by default when you install Win10 Pro. But it doesn't get activated until someone either manually saves the recovery key, you join a corporate domain, or you sign on with a MS account.

If you aren't using Win 10 Pro or Enterprise, then an installation and configuration of Bitlocker will have been carried out at some point to enable Bitlocker.

The system shouldn't prompt for a bitlocker password during updates, however a bit of research shows that MS updates have been shown to cause Bitlocker recovery prompts on a multitude of systems, not just Dell equipment, even when Bitlocker has been suspended on the system. I'm suspecting that this may be what is happening with some of the users that have commented.

Ultimately, Dell have no way of unlocking a Bitlocker password prompt system. Microsoft recommends the following steps to checking for a recovery key -https://support.microsoft.com/en-us/help/4026181/windows-10-find-my-bitlocker-recovery-key

I cant guarantee this will work, but if you haven't enabled Bitlocker on the system it may be possible to boot back into the system by disabling secure boot from the BIOS and once you are in Windows you can disable Bitlocker and update the system.

It all depends on what model of Dell that you have but if you power on the system and repeatedly tap the F2 key in quick session you can access the BIOS. You will be looking for a menu for Boot Options and from within there you can disable "Secure Boot". Click on apply and then restart the system. Hopefully this bypasses the bitlocker prompt and you can now log into Windows as normal.

Once you are within Windows you need to try and suspend Bitlocker. The following article explains how to do this - http://www.dell.com/support/article/us/en/04/sln153694/updating-the-bios-on-dell-systems-with-bitlocker-enabled?lang=en

If the above fails to work and you still can't get passed the BitLocker recovery prompt, you could try the following step - 

When prompted with the blue Bitlocker Recovery key request
1. Right-click the Start icon and select Command Prompt (Admin).
2. Type: dism /online /cleanup-image /restorehealth and hit Enter.

This will search for any damaged files created during updates which may be what is causing this Bitlocker prompt to appear.

Alan

@Klinten The steps that I have proposed on the post above may also apply to yourself if you are suggesting that Bitlocker was never enabled on the system. I would give them a try to see if they resolve your issue.

Alan

It might be time to try thinking outside the box... We know, if the user set up BitLocker, they would have a key.  If it was set up automatically and was needed in certain situations, there are only a few places the key should be.

Since the key is being enforced, and the user cannot find the key at the known locations, where else could it be?  Is it locked in the TPM or some location on that system?

When I got the popup on my system, I was given instructions as to where to find the key, but that doesn't seem to be happening in this situation either.  I showed several keys for my system both by name from the original install and the renamed system.  A 5 digit number was used to identify which key was required.

Could it be a situation where the key was set by a prior user from a repair motherboard replacement?  I would think Dell would normally wipe that type of info before using that motherboard again.  But maybe it gets missed in some situations.

I would suggest doing a Bios reset but if the drive is encrypted, it might not help get rid of the encryption.

Is there a Dell location where such a key would be stored?  I think this would be the most logical answer.  If they provisioned these systems to automatically encrypt the drive, it could be there is one central location where they are stored.

Hi all,

thanks a lot for your answers.

I've tried a lot of things now without any success. The main problem is that the manage-bde.exe -status (executed from the X:) is returning a disk status as "Locked" which is preventing me from doing anything. I can't even "push" the eventual recovery key to my AD (or I'm not using the proper command).

My understanding is that the TPM key is stored in TPM and allows to start your laptop with your user and password normally as long as the TPM doesn't detect any problem/failure on the disk. But it case it detects a problem, then it doesn't encrypt the disk and ask you for the recovery key....

Looks like there is no way to go over it. By the way, I've checked with all my colleague at work (in Montréal office) for whom we bought all laptops at DELL website, and most of them have bitlocker activated whereas the only actions I'm doing when receiving the laptop are : logging with a local admin account, renaming the laptop and linking it to my company domain.

I've checked my the admins of the Active Directory and up to no there is no GPO pushing the install of bitlocker nor retrieving any bitlocker key.

I think that it would be great from DELL to be transparent on what's happening here because lots of people might be loosing a lot of valuable data because of this!!!

Regards

Nicolas

---

@nlecomtewrote:

Hi all,

thanks a lot for your answers.

I've tried a lot of things now without any success. The main problem is that the manage-bde.exe -status (executed from the X:) is returning a disk status as "Locked" which is preventing me from doing anything. I can't even "push" the eventual recovery key to my AD (or I'm not using the proper command).

My understanding is that the TPM key is stored in TPM and allows to start your laptop with your user and password normally as long as the TPM doesn't detect any problem/failure on the disk. But it case it detects a problem, then it doesn't encrypt the disk and ask you for the recovery key....

Looks like there is no way to go over it. By the way, I've checked with all my colleague at work (in Montréal office) for whom we bought all laptops at DELL website, and most of them have bitlocker activated whereas the only actions I'm doing when receiving the laptop are : logging with a local admin account, renaming the laptop and linking it to my company domain.

I've checked my the admins of the Active Directory and up to no there is no GPO pushing the install of bitlocker nor retrieving any bitlocker key.

I think that it would be great from DELL to be transparent on what's happening here because lots of people might be loosing a lot of valuable data because of this!!!

Regards

Nicolas

---

Hi Nicolas, 

I can't be any more transparent than I already have been. As explained in my previous post, this issue that you are experiencing is not specific to Dell, it's seen across multiple manufacturers and models. There is suggestion that the issue is being caused by Microsoft updates. Bitlocker is Microsoft technology with the recovery key being stores in your Microsoft account or your Azure account. Dell has no way of accessing your password and thus are unable to provide any sort of recovery key.

Is your disk a self encrypting drive? Could that be the reason that it is locked?

You have mentioned that other colleagues have Bitlocker enabled - as per my last post Bitlocker is automatically enabled whenever you link the system to a corporate domain. Does your local IT administrator have the recovery key?

Alan

Hi thanks again for your answers.

Still not able to go over the bitlocker recovery key.

I've checked with my colleague and no-one knows where their key is stored. Up to know I've asked them to run manage-bde -protectors -get c: when they are logged in so they can note down their recovery key.

What I don't understand is the statement saying that Bitlocker gets activated when joining a domain. I kind of understand the logic but if the domain is not setup to store the recovery key then it means that this key is stored nowhere and there is no way to find it?

I'll recheck with my admins but they've gone through all the info in the Active Directory without any success...

I guess I'll reformat and loose a lot of data but at least I've learnt to backup my data and check if disks are bitlocked...

Thanks for your help

---

@nlecomtewrote:

Hi thanks again for your answers.

Still not able to go over the bitlocker recovery key.

I've checked with my colleague and no-one knows where their key is stored. Up to know I've asked them to run manage-bde -protectors -get c: when they are logged in so they can note down their recovery key.

What I don't understand is the statement saying that Bitlocker gets activated when joining a domain. I kind of understand the logic but if the domain is not setup to store the recovery key then it means that this key is stored nowhere and there is no way to find it?

I'll recheck with my admins but they've gone through all the info in the Active Directory without any success...

I guess I'll reformat and loose a lot of data but at least I've learnt to backup my data and check if disks are bitlocked...

Thanks for your help

---

Hi Nicolas, 

Going by this Bitlocker Microsoft article, your domain administrator would need to setup a Group Policy to store passwords in an active directory - https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-key-management-faq

Alan

Hi friend. I had the same problem with my Dell vostro, that I bought  online on Amazon india. I was also very disturbed because I had my 1year old daughters precious photos stored on it.i.went through all the options listed on this forum and found no solution. Finally I found another solution online at https://one drive.live.com/recoverykey. If you can login with your microsoft account and password you can find the 48 digit numerical key here like I found it. It looks like microsoft self generated it because I have never set a recovery key. It is very bad that they do this without our permission. They should be sued for not informing the user before updating. I believe neither Dell nor amazon is at fault here.Its all microsoft here. I hope this helps.Believe me, i understand the pain of losing proceeds data.

I purchased a Dell Inspiron 3000 last week with Windows 10 Home for a client and in the process of making a backup image discovered that Bitlocker is on. I haven't the slightest idea why it would be installed and sold this way. Typically, I configure a new system with software and user data and then image it so it can be reset to my original delivery state. This particular client lives 400 miles away.

I usually use Acronis for this but I am not sure it will restore correctly.  I do have a Microsoft account and can try to unwind Bitlocker but this is new territory for me. I have used encryption products but not BitLocker. Any advice?

Hi All,

I faced this issue today. I believe it was triggered by a BIOS update I installed last week. I have a Dell XPS 13 running Windows 10.

Upon turning on my laptop I was faced with the "Enter your BitLocker Recovery Key", despite having never installed or enabled it, so I didn't have any recovery keys generated or saved.

I called Microsoft, they said it's up to the manufacturer.

I tweeted Dell support and they were finally able to help me access my laptop once again.

"Please follow the steps mentioned below, and let us know if you are able to boot to the OS.

1. Restart the system.

2. At the Dell Logo keep tapping F2.

3. You will enter the BIOS screen

4. Under General

5. Select  Boot Sequence.

6. Select  UEFI

7. Select  Apply.
8. Under “Security” select TPM 2.0 Security

9. Select  Enable and click on Apply.

10. Under “Secure Boot”

11. Select  Secure Boot Enable

12. Select  Enable.

13. Click on Apply. Once these steps are done, restart the system and let us know if you are able to boot into Windows.

-----

The above worked for me: I am now able to enter Windows and access my files. To avoid this stress in future, I recommend setting up a restore point and purchasing a reputable back up software, I've just purchased Acronis.

Good luck!

CahalSi

Same has happened to me

Same here.   Inspiron Laptop.  Motherbaord had to be replaced.  Bitlocker has locked both drives (we never installed Bitlocker).   No usable key on our microsoft account.  Microsoft blaming DELL.  DELL blaming Microsoft.

Totally ridiculous!