Sysadmins frequently inquire concerning BitLocker Recovery Mode. They’ve installed BitLocker as their encryption for endpoints solution. This means that IT service desk is now able the ability to issue keys for recovery. This is where things get complicated : the keys to recover are hexadecimal numbers that have 25 numbers. They are difficult to read, but are also difficult to listen to over a telephone line.
What exactly is BitLockerDrive Encryption?
Let’s begin by giving an introduction to BitLocker. BitLocker Drive Encryption that is often known as BitLocker it permits Windows users to protect their hard drives to ensure data security. BitLocker has been part of the Windows operating system since 2007, however Microsoft has significantly improved BitLocker with Windows 10 version 1511, by adding new encryption algorithms and allowing users to customize groups of policy settings that are distinct for fixed drives, removable drives and OS system drive.
BitLocker authentication techniques can cause users to be locked out of their accounts. The most popular method of authentication is to use an authentication method called the Trusted Protection Module (TPM) A microchip integrated into computers and laptops. It is able to decrypt hard drives at startup, and does not require the use of the use of a PIN number, USB or another method of authentication. This method doesn’t need the user to do anything, and is not the most secure.
Microsoft suggests using the TPM using the BitLocker PIN or a the startup key stored on the USB to increase security. Both methods require interaction from the user and could result in locking outs should there be a lost PIN or a the loss of a USB.
Authentication to BitLocker
Let’s begin by examining the basics of BitLocker methods of authentication since they are able to result in locks. The most popular method of authentication is to use TPM, also known as the Trusted Protection Module (TPM) which is a microchip integrated into desktops and laptops. It is able to decrypt hard drives at startup, and does not require the use of the use of a PIN number, USB or another method of authentication. It doesn’t need the user to do any action, and it’s the most secure.
Microsoft suggests using the TPM using the BitLocker PIN or a start-up key that is loaded onto the USB to increase security. Both methods require interaction from the user and could result in locking outs when there is a lost PIN, or a lost USB.
What are the causes of BitLocker Recovery Mode?
BitLocker Recovery Mode can happen due to a variety of reasons, such as:
Authentication errors:
Inadvertently forgetting the PIN
Incorrectly entering the PIN repeatedly (activating the anti-hammering feature that is part of TPM)
Utilizing a keyboard with an alternate layout that doesn’t properly enter the PIN or doesn’t correspond to the pre-boot environment
In the event of losing the USB flash drive that contains the key to start
Boot/BIOS changes:
Switching off BIOS support to read USB devices inside the pre-boot configuration for USB-based keys
Change the BIOS boot sequence so that it can start another drive prior to that of the main drive (such as setting a DVD or CD drive priority in the boot sequence)
Upgrades to critical components of the initial startup process like BIOS upgrades
Modifications made to the master boot record (MBR) within the drive
Modifications made to the boot manager (bootmgr) in the boot manager (bootmgr) on your disk
Failure to start a network device prior to starting from the hard drive
Utilizing an BIOS hotkey in the process of booting, you can change the boot sequence to something different from the hard drive
Software, hardware, and firmware modifications:
Inserting or removing CD/DVD
Docking or unlocking a portal computer , if it was (respectively) either docked or undocked after BitLocker had been switched on
Modifications made to NTFS the partition table of disk, including the following: creating, deleting the primary partition, and resizing it.
Disabling, turning off the TPM, deactivating and clearing TPM
Option to update firmware ROM
Upgrading TPM firmware
Add or remove hardware
Add-in cards to or from the card (such as network or video cards) or updating the firmware of add-in card
Other causes:
Editing the platform Configuration Registers (PCRs) that are used to create TPM’s TPM validation profile
Hiding the TPM within the Operating System
Moving the BitLocker protected drive to an alternative system
The motherboard is upgraded to a newer model with the latest TPM
Failure to pass the TPM self-test
A BIOS or an option ROM component that’s not in compliance with the applicable Trusted Computing Group standards for the client computer
Change the user authorization for the root storage key in the TPM to a value that is not zero
Enable the integrity check on code or turning on test signing in Windows Bootmgr
Inserting, removing or completely depleting charge from the smart battery (portal computer)
By pressing either the F8 as well as the F10 keys during the boot procedure
What is PCR?
The majority of these reasons are obvious, but changing the platform configuration Registers (PCRs) isn’t always well understood or set up correctly. In essence, these settings inform the TPM chip how to verify, at the time of power-on to ensure that the disk is in fact booting on a legitimate device that has not been altered. If the test is successful successfully, it is then the TPM chip will let the keys go to enable BitLocker to start on the disk that has been encrypted.
When a device is encrypted it records the its BIOS/UEFI configurations. Any change to this state may trigger to trigger the BitLocker Recovery Mode to start. This could be that is as easy as selecting another boot device during the beginning of your boot process if it is not properly configured according to the requirements for network connectivity of your company. E.g. If you typically boot from a Hard Disk however you have to boot from a USB/CD/NIC/USB because of a problem.
