Why Does Bitlocker Recovery Keep Happening

Windows Server 2016 and above.

The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online.

(Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).

A data recovery agent can use their credentials to unlock the drive.

If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.

How to Set the BIOS to Prevent BitLocker Recovery Key Prompts

A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting Choose how BitLocker-protected operating system drives can be recovered located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives in the Local Group Policy Editor. For more information, see BitLocker Group Policy settings. On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use BitLocker Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the Interactive logon: Machine account lockout threshold Group Policy setting located in \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options in the Local Group Policy Editor. Or they can use the MaxFailedPasswordAttempts policy of Exchange ActiveSync (also configurable through Microsoft Intune), to limit the number of failed password attempts before the device goes into Device Lockout. On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. Failing to boot from a network drive before booting from the hard drive. Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition. Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated.
Comments are closed.