This morning I bricked my laptop with a bit of tea. I dropped it off to see if the data could be recovered from the SSD and this afternoon the tech called to say the drive was encrypted with BitLocker. I remember when setting it up last year having to create a Microsoft account but the drive being encrypted was a surprise to me and it is not written down anywhere. I gave the MS acct credentials to the tech then the verification sent to my smart phone but he was unable ti get access.
This was quarter to five this evening so we quit, to pick it up again on Monday. I have logged into my MS account – for the first time since it was created – and it says there are no devices registered to the account. None of the other “suggestions” Microsoft has, printout, thumb drive, Azure account, or sysadmin are viable. I’m not understanding how the encryption could be set up with no trace of the key but are there any alternatives left?
Also, when the replacement is set up, where in the process do I tell it I don’t want any encryption? I sure missed it the first time around.
The only other place I know for the encryption is on the TPM. But I would have expected that would mean accessing the drive from the laptop would still work.
The TPM stores keys and is designed not to have access to them. If the key was only there, and they can’t get to it now, you may be SOL (straight out of luck, I believe). You’d just better have had backup, and use that. (Look up Backblaze for the easiest backup I’ve ever used.)
That said, I find it odd that your Microsoft account would not have any knowledge of your laptop. Are you sure that you used the right one?
It’s the only laptop I had and when I was setting it up out of the box last year it insisted I had to create a MS account so I did. I have had nothing to do with the account since – had to look up the info in my lost of logins.
Bitlocker is not activated by default and will make you print, backup to USB, or the cloud before it is is enabled. Was the computer brand new when you got it?
Yes, it was. Had I noticed that the process was offering encryption I would have opted out and had I noticed the key double-sure would have recorded it.
Unfortunately you are pooched. I enforce Bitlocker on all our corporate assets, but I also have the key stored either in Active Directory or Azure Active Directory.
I highly recommend OneDrive or similar to backup your files to the cloud.
Microsoft does not enable encryption by default, and if some process did lead to the drive becoming encrypted, you would have seen notifications because Microsoft would insist you make a backup of the key prior to enabling bitlocker. As for your SSD, the password you used to regularly login to the system should be the password that is being asked for.
When encrypting a system disk bitlocker stores its decryption key in the TPM. As long as the TPM is satisfied nothing has changed on the computer, then it will provide the key to unlock the drive. The only password you need to enter is your login password, but your login password is not related to unlocking the drive, just logging in once the drive is unlocked.
If the TPM thinks something changed, then you’ll need the bitlocker recovery key, which is a long alpha numeric (hex?) string. When encrypting a disk bitlocker requires this be saved someplace other than the drive being encrypted, printed, or saved to a Microsoft account. If saved to a file, the file will have a long name, and be a UTF-16 encoded text file. The recovery password is inside the file.
I do not know how to retrieve it if the recovery key is saved to a Microsoft account, but Bing might.
Bitlocker behaves differently when used to encrypt a removable drive. In that case a password is (usually) set for the drive, and that user-entered password is used to unlock the drive.
I’m not sure exactly what happens when a system disk is attached as an external drive. It may come up and ask for a password, but what it really wants is the recovery key. I know when the TPM is angry, the computer will ask for the recovery key associated with serial number 12345-56789-ABCD which is the name of the file the recovery key is saved in.
If you are already encrypted with Bitlocker, you can right-click on the drive and select Manage Bitlocker to either turn it off or backup your key. I have no idea how you accidentally turned it on without backing up your key.
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Group Policy setting, and select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
I remember none of that but being asked to create a MS account. It was my first startup of Windows 10 ever – and the first of any flavor of Windows in over a decade (I tend to get used computers) – so it wasn’t I was clicking through everything without reading the notices.
I’m not sure what the phrase domain joined means. Perhaps for the IT department of a company? Ditto for AD DS, and I have never used Azure AD.
The first one applies to you. When you set up your Microsoft account, it activated Bitlocker automatically and saved the recovery key to your Microsoft account.
If you click on the first link in my previous post and log in with your Microsoft account, it will show all of the Bitlocker keys added to that account.
I am in the account now, looking at the history. I am seeing the attempt the tech made of Friday with Sign-in blocked (account temporarily suspended)
Can you tell me where the key is stored? Under Security I am seeing Sign-in activity, where I just was, Passowrd security, Advanced security options, and Stay secure with Windows 10
Unrelated to this discussion (and I’m not sure if this still works with newer versions of Windows), but I’ve found that, when setting up a new Windows computer, if you hit the skip/later button when it tries to set up your wifi access (or leave the ethernet cord unplugged), it won’t force you to set up an MS account. It’ll nag you about it for a little while, but eventually leave you alone.