[SOLVED] Loading live Ubuntu triggered BitLocker Recovery Key

[Appletax]

Client brought me her Dell 22 3264 AIO because it was slow. It has a 7th gen i3 and an HDD. I steered her to getting a refurb from me that supports Win 11 and is massively faster. She wanted me to transfer her data to the new PC. To avoid the slowness, I booted live Ubuntu. When I tried to access the HDD, it asked for a passphrase to decrypt the drive. I rebooted so I could just use Windows to do the transfer and was greeted with a requirement to enter the BitLocker Recovery Key. Why would this happen? She does not have the key. Can't find it in her M$ Account.

I think Microsoft has been randomly turning on stripped down BitLocker encryption in Windows 10/11 Home editions without even telling the user.

I guess her only option for data recovery is to send the HDD to somewhere like $300 Data Recovery where the service fee is $420 + $20 return shipping + shipping for sending it to them + cost of another drive to transfer the data to.

Wow, what a nightmare. Microsoft has got to stop auto encrypting drives. Not everyone needs that and it just creates issues for those that are ignorant of it.

 

[ThatPlace928]

You can turn Bitlocker off. Reference this thread.

Bitlocker stopping windows password reset

Is there a way to reset a windows password with bitlocker being on? That appears to stop any reset programs from working. So I guess granted it's doing it's job so maybe they're fooked lol. No command prompts to turn off bitlocker seem to work for me. We have the bitlocker key and all that...

www.technibble.com

 

[ThatPlace928]

Here's another thread about how to turn it off.

Bitlocker Status Out of the Box for Win11 Pro?

You'd sometimes see it on 10 but EVERY 11 home system I have worked on Desktop or Laptop has been BitLockered. I believe this policy on Bitlocker was back ported to very late Windows 10 OEM machines, though I have not, as yet, encountered it. I'm just eternally grateful that in-place 10 to 11...

www.technibble.com

 

[Appletax]

You can turn Bitlocker off. Reference this thread.

Bitlocker stopping windows password reset

Is there a way to reset a windows password with bitlocker being on? That appears to stop any reset programs from working. So I guess granted it's doing it's job so maybe they're fooked lol. No command prompts to turn off bitlocker seem to work for me. We have the bitlocker key and all that...

www.technibble.com

None of this helps because the drive is locked and the client does not have the 48 digit recovery key.

I get this error: the operation cannot be performed because the volume is locked.

I hope this never happens again - that live Ubuntu doesn't trigger BitLocker to require the recovery key.

 

[Sky-Knight]

It's not random... it's literally by design.

The client does have the key, it's buried in the Microsoft account it make them create to set the machine up. If they didn't keep track of that, it's completely on them. Format C:, make them make a new account, associate the machine and tell them to get a brain cell.

They do this for their iPhones or their Androids, EXACT SAME PROCESS. Yes, those devices ALL auto-encrypt. They need to do it for their PC's too.

And no, Microsoft "will not stop" doing this. They don't care about the residential market, that's not where the money is. AND they're legally held responsible all over the place when they don't force the user to secure things.

So yes, the endpoint will be encrypted.
Yes, you need to learn how to deal with that.
Yes, Apple does the same stupid thing, so pay your "Apple Tax"
Yes, I'm making fun of you for failing to draw that connection.
No, the user doesn't have an option to be stupid.
Yes, the user will use cloud backed software of some kind to keep their files safe.

Note, data recovery is USELESS they aren't decrypting those files either. If she's lost her account, and the recovery key and she cannot find them... those files ARE GONE, and she did it to herself.

 

[britechguy]

I think Microsoft has been randomly turning on stripped down BitLocker encryption in Windows 10/11 Home editions without even telling the user.

No offense meant to you, but yes, they have, and where have you been?!!

Microsoft has been activating BitLocker (or what's effectively BitLocker on Windows 11 Home) when initially set up for some time now if you configure the machine with a MS-Account during OOBE and, possibly, even when you force create a local account (I've not checked this because I do not do this - all Windows machines I configure in 2024 are done with a Microsoft Account linked Windows user account).

You've actually liked a couple of my posts from months ago decrying this insane push to encrypt everything by default. After talking with clients and letting them decide, I frequently run:
manage-bde -off C:
to turn encryption off. It's off on my machine, which runs Windows 11 Pro and all other machines in my household as well (except, possibly, the desktop I did a N&P on just 2 days ago).

 

[britechguy]

So yes, the endpoint will be encrypted.

And will probably be able to have that turned off long past the day they put me in the ground. And a very great many techs indeed will do just that.

 

[britechguy]

If they didn't keep track of that, it's completely on them. Format C:, make them make a new account, associate the machine and tell them to get a brain cell.

On this, we're in agreement. We are long past the point in time where people should understand that online accounts (and the passwords and/or other verification methods for same) are the keys to the various cyber-rooms in their virtual house. They need to be treated with the same respect and care as real keys are, which usually means having a spare set in case you lose the first (essentially, a password manager or log in case you forget your login ID, password, or both). I am thankful that for a number of accounts these days they guide you to add a mobile phone number as part of the setup that can be used as part of password recovery/reset. It generally makes life much easier if a password recovery/reset ever becomes necessary.

I have made a point of telling my clients this almost every time I work with them. The latest, who's 84, was not certain what her password was for her Comcast account, which is where her email resides. I made a point of going through the "Forgot Password" process with her, resetting it, and making sure the latest one was recorded, along with the "lecture" about the need to keep her log (which she prefers) updated if/when a password change is done for any reason.

They do this for their iPhones or their Androids, EXACT SAME PROCESS. Yes, those devices ALL auto-encrypt.

Most of those can be decrypted, and are, if you take off all lock mechanisms. Removing PIN/swipe pattern/whatever along with any biometrics most often results in a device that is no longer encrypted. Some, not many, of my clients want to go that route with their phones.

 

[Markverhyden]

Client brought me her Dell 22 3264 AIO because it was slow. It has a 7th gen i3 and an HDD. I steered her to getting a refurb from me that supports Win 11 and is massively faster. She wanted me to transfer her data to the new PC. To avoid the slowness, I booted live Ubuntu. When I tried to access the HDD, it asked for a passphrase to decrypt the drive. I rebooted so I could just use Windows to do the transfer and was greeted with a requirement to enter the BitLocker Recovery Key. Why would this happen? She does not have the key. Can't find it in her M$ Account.

I think Microsoft has been randomly turning on stripped down BitLocker encryption in Windows 10/11 Home editions without even telling the user.

I guess her only option for data recovery is to send the HDD to somewhere like $300 Data Recovery where the service fee is $420 + $20 return shipping + shipping for sending it to them + cost of another drive to transfer the data to.

Wow, what a nightmare. Microsoft has got to stop auto encrypting drives. Not everyone needs that and it just creates issues for those that are ignorant of it.

What did you use for the chassis? The old or new? What version of Windows? I guarantee you that a recovery key exists. If this account is the correct one it'll also show the old computer as a registered device.

 

[fincoder]

Can't find it in her M$ Account.

That simply means it's not the correct MS account.

Any of their email addresses could be the MS account first used on the PC. You (or they) need to try each of their email addresses as MS account login via a browser. Thankfully just entering the email address and clicking Next will result in "MS account doesn't exist" if it isn't one before bothering with password attempts/recovery.

I suspect the Linux boot might have triggered the TPM chip to forget the locally stored key, intentionally or otherwise. Or did you turn off Secure Boot in the BIOS?

I use a Win10 bootable USB drive (created by Rufus) for recovering files etc. I don't think a cancelled Bitlocker key prompt when accessing the built-in drive causes a subsequent boot to prompt for a Bitlocker key.

 

[britechguy]

Any of their email addresses could be the MS account first used on the PC.

Or none of them could be. And I say that because there are idiots who claim to be support technicians who "just create an new email account" (these days, most often in Outlook.com, but not always) to configure the machine, and that information is never passed on to the person for whom it's being set up.

That actually infuriates me more than end users who say, "But I don't have an {insert account here} account!" The fact that virtually everything these days remembers userids and passwords (or other verification) "forever" if you check a "keep me logged in" option means that many people have virtually never directly used either the account or the password needed at a given moment in time. And on plenty of occasions its because they have no idea an account was actually created and linked to their Windows user account.

If there were such a thing as malpractice in this business . . .

 

[britechguy]

That simply means it's not the correct MS account.

Coming back to this, it definitely does make sense to try every email address the client actually knows of related to themselves to see if, perchance, a MS account does exist that used it and has that BitLocker key.

This is one of the reasons that asking, "What is your Microsoft Account login (probably an email address)?," has now become part of my standard question set. If the claim is made that they don't have one, then I will try, if time allows, to log in to Microsoft.com using every active email address they give me and with the password(s) they give me, and if none of the passwords work, hitting the Forgot Password link. After a few minutes I will know whether one of those is a Microsoft Account that belongs to the client or not.

I have to do this for all other cloud connected devices, and Windows Machines have been cloud connected devices for the most part for a very long time now. One must have "the keys to the kingdom" to be able to do the necessary work on many occasions.

 

[Diggs]

Interesting article on Device Encryption vs. Bitlocker and when they are triggered -

Is Windows 11 Encrypted by Default? How to Check Your Device

If your woondering if Windows 11 is encrypted by default, this guide contains the information you need, including how to enable encryption.

windowsreport.com

 

[britechguy]

Great little article.

I do want to add, though, that the good old command line manage-bde works whether we're talking BitLocker or just "other" Device encryption. This is another area where I'll never understand why a distinction was made in branding.

It makes sense that the BitLocker name would have been used for device encryption, period, but the actual feature set available to BitLocker would depend on the Windows Edition under which it runs. But, nooooooooooooo . . .

Yet we have 362 different Outlooks! Ugh.

 

[lan101]

Client brought me her Dell 22 3264 AIO because it was slow. It has a 7th gen i3 and an HDD. I steered her to getting a refurb from me that supports Win 11 and is massively faster. She wanted me to transfer her data to the new PC. To avoid the slowness, I booted live Ubuntu. When I tried to access the HDD, it asked for a passphrase to decrypt the drive. I rebooted so I could just use Windows to do the transfer and was greeted with a requirement to enter the BitLocker Recovery Key. Why would this happen? She does not have the key. Can't find it in her M$ Account.

I think Microsoft has been randomly turning on stripped down BitLocker encryption in Windows 10/11 Home editions without even telling the user.

I guess her only option for data recovery is to send the HDD to somewhere like $300 Data Recovery where the service fee is $420 + $20 return shipping + shipping for sending it to them + cost of another drive to transfer the data to.

Wow, what a nightmare. Microsoft has got to stop auto encrypting drives. Not everyone needs that and it just creates issues for those that are ignorant of it.

I've ran into this a handful of times. Usually end up getting lucky figuring out the MS account login eventually but yeah it can be a PITA because people don't realize the importance of it until they're in the situation.

Home users often don't want to buy 365 or pay for the one drive space but they know it's on them as long as someone explained it to them.

External drives are always nice for the cheap skates but then often times those will fail and no one will know etc...so yeah people who are just uninformed or cheap skates will probably eventually learn a hard lesson with the way things work now it seems.

I just feel bad for the seniors because many of them just don't comprehend this stuff well at all...or even if you can make them understand it in the moment of talking about it...won't matter the next day they'll forget what was talked about.

 

[britechguy]

I just feel bad for the seniors because many of them just don't comprehend this stuff well at all...or even if you can make them understand it in the moment of talking about it...won't matter the next day they'll forget what was talked about.

And this is a good reason for focusing on, "What you need to do to protect yourself," and setting that up and walking them through it, than it is on the "Whys" behind it.

Having a local backup on an USB HDD for that purpose, where "the next backup" is taken like once per month (and for most seniors, that's more than frequent enough), where only the most recent two images are maintained, is light years better than nothing at all.

I have never, in all my years in this business, even once had a circumstance where a backup drive and the source drive backed up to it simultaneously failed, and that's even before I started insisting that backup drives only be hooked up to take the backup, then be unplugged until the next one.

No system is perfect, but having no system at all for backing up is about as awful a situation as you can get.

 

[Sky-Knight]

Yeah, it sucks being in perpetual training mode... especially when you can't bill for that time.

 

[Markverhyden]

External drives are always nice for the cheap skates but then often times those will fail and no one will know etc...

Most the time, with those types of customers, I'll get a panic call "I cant find xxxxxx file(s)". "Where are you looking". " My backup drive". "Ok so just look for it on you computer". "It's not there because I moved it to the backup drive" "You only have a backup if you have an original file. All you did was move the original file somewhere else."

 

[britechguy]

"You only have a backup if you have an original file. All you did was move the original file somewhere else."

And that's one of the reasons I try to avoid referring to the backup drive as anything but the backup drive. The only thing that should be on it are either full system image backups and/or user data backups taken with a utility that doesn't "just copy" so that this data can be accessed directly from file explorer.

Using a backup drive as though it were a jump drive (unless you're already quite sophisticated about the fact that this can be done) ends up with people doing exactly what you've said, and that's not a backup, it's just a single copy held on a different drive.

If you don't have 2 exact duplicates - original and on other physical media - you don't have a backup. And, as we all know here, there are times where you really want to have 3 - original, locally accessible backup that's stored on-site, and backup that's stored off-site (whether cloud or regular backup drive not kept on prem except when a backup is in progress or a restore is being performed.

 

[dcomp12]

well Cloud Backup and or external backup would probably be a selling point going forward. I mean this doesn't help you right now but something to suggest.

Iv never had a issue with bit-locker before like this myself and interesting that the drive acted up after Ubuntu was loaded. At the same time every time I see bit-locker turned on I always proceed with caution and stop and ask about if the client has the recovery key. Iv heard stories though that the bit-locker can trigger for the dumbest things. Again, never seen it myself just stories.

But when I do see it I make sure that they have their account in order and make sure that the bit-locker information has been registered to their Microsoft account. Better safe than sorry,

Anyways feel for you as you may have done this routine thing millions of times but its that one time that sucks.