Get an overview of more BitLocker functionality, including lockouts and recovery mode.
- [Instructor] When you first set up BitLocker, a recovery key is created. This needs to be stored in a safe place since it will be used to regain access to the drive if you're ever locked out. You can save the recovery key to a Microsoft account, save it to a file, print out the key unto paper, save it unto a USB drive or even store it in Active Directory or Azure Active Directory. For Software Assurance customers, enterprises can also manage BitLocker by using MBAM, which stands for Microsoft BitLocker Administration and Management.
In all scenarios, it is important not to store the recovery key on the device. We've seen a drive is automatically unlocked whenever a TPM chip provides an unlocked key or when you enter a password but what if you've lost your unlocked key or entered the incorrect pin too many times? You can't access the drive because you're locked out. Although rare, sometimes the TPM chip can become faulty and therefore it does not unlock the drive.
BitLocker Lockout is where you'll need to use the BitLocker recovery key to gain access to the encrypted data. A few of the different scenarios where you'll use the BitLocker recovery key include if the USB drive or password used to open an encrypted drive is lost or forgotten. If the drive ID is not the same as the one stored in the TPM, if the device has gone into device lockout. This is when the limit is reached for the number of failed password attempts.
On updating the BIOS or UEFI firmware, hardware or startup components on a PC and changes to the master boot record on the encrypted drive. In all these scenarios, the PC will enter BitLocker recovery mode which will require you to provide the BitLocker recovery key to unlock the drive. The first step to regaining access to your BitLocker encrypted drive is to locate the recovery key. An example of a 48-digit BitLocker recovery key is shown on screen.
If you've saved the key to your Microsoft account, the link to retrieve all of your recovery keys is shown on screen. Enterprise users will need to contact IT support for them to provide the key from active directory, MBAM, Microsft Intune or Azure AD. Once you've located your BitLocker recovery key, you can enter the 48 digits unto the blue BitLocker recovery screen that you're presented. This will temporarily unlock the drive and allow Windows to boot. If you reboot the PC now, you will then need to re-enter the recovery key again.
Once you've unlocked the drive and booted into windows, you should then select manage BitLocker in the control panel item and either disable and re-enable BitLocker or change the BitLocker password making sure you save the recovery key safely. You should now be able to reboot the PC and the drive should be able to be accessible normally. If you forget your password for a USB thumb drive, you will be offered the chance to enter your 48-digit BitLocker recovery key within the GUI.
Once you've unlocked the drive, you should use the manage BitLocker management console in the control panel to change the password so you can access the drive normally. If you cannot find the recovery key, the data will be lost, as the only option you have is to re-format the drive.
- Troubleshooting startup issues
- Using Windows 10 Safe Mode
- Creating a new BitLocker password
- Resolving a slow-running computer
- Managing device driver issues
- Fixing an incompatible application using a shim
- Troubleshooting computers remotely
- Troubleshooting network and remote connectivity
- Troubleshooting a VPN connection
- Migrating to a mobile device management solution
- Resolving sign-in issues