Bitlocker nightmare

@NickinFrance  If BitLocker was enabled at some point, then the decryption key for your Windows partition would have been stored in the TPM at the time encryption was enabled.  The TPM is built into the motherboard, and therefore when you replace the motherboard, you get a new TPM.  That new TPM won't have the decryption key for your Windows partition embedded into it, and therefore will not be able to provide the key to unlock it so that the system can boot without user input.  And that's why you're seeing a Recovery Key prompt.  If you don't have the Recovery Key, then unfortunately your data is effectively lost.  There is no workaround here.  There are cases where you can end up seeing a Recovery Key prompt after updating your BIOS or changing certain settings, since those changes can cause the TPM's "platform integrity check" to fail and therefore cause it to refuse to release the decryption key that it has.  And in those cases, reverting whatever change caused the platform integrity check to fail can make the Recovery Key go away, since the TPM will once again start releasing its stored decryption key.  But in this case, your new motherboard simply doesn't have a decryption key for your Windows partition, so if you don't have a key yourself, then the data remains encrypted.

In terms of how it became encrypted in the first place, the way it is at least MEANT to work is that when you link your Windows account to your Microsoft account -- which Microsoft is making it increasingly difficult to avoid -- then BitLocker gets enabled and your Recovery Key gets backed up to that Microsoft account in the cloud.  But I've seen multiple threads just like this where users have not found their key there.  And I don't know what accounts for that.  In my mind this is a hugely risky design.  I understand the benefits of encryption and support its use, but if I were designing this mechanism, I would make sure there was a prominent warning saying, "Hey!  Since you've linked your Windows account to your Microsoft account, we're going to encrypt your data for your security and privacy.  Typically you won't have to do anything at all to use your PC, but there are times when you might be asked for a Recovery Key.  Here's where you'll need to go if you ever need it, and we're displaying it right now in case you want to back it up somewhere else as well.  Don't ever lose this."  But that's not how it works.

Thanks for your response. 

I feared this might be the case. 

For me, it is a terrible system. It seems it can be turned on "in the background", and this "Link" to a MS account - even if it ever existed, which seems dubious based on the number of people with issues, it's a pretty thin thread. What if someone changes their account, not knowing this critical thing is there ? It isn't logical at all. 

Anyway, I assume my only alternative is to re-install windows and all ? 

Thanks

Nick

@NickinFrance  I completely agree that the setup experience should be much clearer about this.  And BitLocker should never begin encrypting until it has absolutely verified that the Recovery Key has been backed up to the cloud.  In terms of switching accounts, it is possible for an admin to export a Recovery Key whenever a BitLocker volume is already unlocked, so when creating a new user account (which also requires admin privileges) it would be possible to back up the Recovery Key to that new user's Microsoft account.  But I don't know if that happens.  I avoid using Microsoft accounts for my Windows logon.

But in terms of a fix, unless you happen to have a system image backup that was created while the system was unlocked and therefore could be restored in unencrypted form, then yes you'll need to set up your system again from scratch.  I wish I had better news for you.

Good news and bad news.....

I managed to burrow my way into an old Microsoft account and find the magic key ! BUT....actually this is my wife's computer, and she used to sign in with a PIN. This no longer works (I guess it was also hardware linked). She can't sign in using her Microsoft account either, and can't remember the password she used to use way back when. (you are actually advised to use a PIN). 

I have an account on the same machine, but not with Admin privileges, so I can't reset her account. 

So any ideas how to get around this ? It seems that the only way in now is via some ancient local password she can't remember. 

It seems not great that there was no warning of the possible consequences of changing the hardware - none of this is obvious to the casual PC user. 

@NickinFrance  Well in fairness, BitLocker had no way of knowing you were about to replace a motherboard, so I don't see how it could have given you advance warning about this.  Additionally, if the old motherboard had still been available, you could have avoided the Recovery Key prompt by reinstalling it, since you would then once again have a TPM that contained the decryption key.  But if the tech doing the hardware replacement didn't check for BitLocker and walked off with the old motherboard, then you're stuck.

Nice to hear that you found the key somewhere.  So I guess that aspect of the process did in fact work as expected.

Yes, the PIN is also tied to the TPM and Windows recommends using one because the fact that PINs rely on the TPM increases security over a typical password -- although it of course does not increase convenience when something happens to your TPM.

In terms of workarounds, there are bootable environments that can remove or reset a Windows account password (one of the reasons it's worthwhile to enable encryption), and now that you have the BitLocker Recovery Key, you'd be able to unlock your drive.  But I haven't used those tools in a while, and even when I did, I don't remember one that had easy integrated support for unlocking BitLocker volumes.  And I've also never tried to do that on Windows accounts associated with a Microsoft account, although I suppose you could try to use a tool like that to enable the built-in Administrator account and reset or remove its password.

@NickinFrance  Sorry for the triple post here, but I edited my earlier reply to add the link that I mentioned but initially forgot to include.  And then I also forgot to mention that even after you get into your system, if you want to keep using BitLocker, you'll need to delete and recreate the TPM protector so that Windows will embed the unlock key into your new motherboard's TPM.  One option would be to just disable and re-enable BitLocker, but that will take a while, and it will also generate a new Recovery Key.  The other option that involves a bit of work in Command Prompt but saves time is to complete these steps.

First run this:

manage-bde -protectors -get C:

 
Look for the ID of the TPM protector.  It will be in braces (curly brackets).  Highlight that ID and copy it to your clipboard.  Then enter this, making sure to include the braces I've got in the example below:

manage-bde -protectors -delete C: -ID {ProtectorID}

 Then to recreate it, enter this:

manage-bde -protectors -add C: -TPM

@NickinFrance  Ok, I just successfully tested a method for getting admin access to a system where you don't know any current password, but I keep getting errors when trying to write a post about it here or send it to you via PM. Testing this...

@NickinFrance  Ok, I just tested a method that I remembered from the past, and it still works on a current Windows 10 environment. On the page I linked below, there's a method called "Create a new user to save account files". The additional step in your case is that you'll need to unlock your BitLocker partition. So after you boot your system into Windows 10 installation media (create it from any other PC), you'll press Shift+F10 to open Command Prompt. But before proceeding further through those steps, you'll need to use manage-bde to unlock your Windows partition. To do that, first enter:

manage-bde -status

That will show the drive letter assigned to your Windows partition, which you can identify by its partition size. It will NOT necessarily be C: in the Windows Setup environment. Once you've found the drive letter, enter:

manage-bde -unlock C: -RecoveryPassword 123456-123456....

Replace C: above with your Windows partition's actual drive letter if appropriate.

After you get that partition unlocked, you can proceed with the steps to copy CMD to UtilMan and then reboot your system into Windows, and at that point you can get a Command Prompt window at the Windows lock screen, which you can use to create a new admin user. Good luck.

Link: https://www.howtogeek.com/222262/how-to-reset-your-forgotten-password-in-windows-10/