Skip to content
Home » What causes BitLocker Recovery Mode?

What causes BitLocker Recovery Mode?

Sysadmins frequently ask us questions concerning BitLocker Recovery Mode. They’ve installed BitLocker as their encryption for endpoints solution, which means that IT service desk is now able the ability to issue keys for recovery. The problem is that it can be quite complex – the keys to recover are hexadecimal numbers that have 25 numbers. They are difficult to read, but are also difficult to be heard over a phone line.

What exactly is BitLockerDrive Encryption?

Let’s get an introduction to BitLocker. BitLocker Drive Encryption, commonly called simply BitLocker is a program that permits Windows users to protect their hard drives to protect data. BitLocker has been part of the Windows operating system since the year 2007 however Microsoft substantially upgraded BitLocker with Windows 10 version 1511, by adding new encryption algorithms and making it possible to set the group policy settings for fixed drives, removable drives as well as OS system drive.

BitLocker authentication methods could result in users to be locked out of their accounts. The most popular method of authentication is to use an authentication method called the Trusted Protection Module (TPM) A microchip included in notebooks as well as desktops. It is able to decrypt hard drives at startup, and does not require the use of an PIN number, USB or any other method of authentication. This method doesn’t need the user to do anything, and is not the most secure.

Microsoft suggests using the TPM using an BitLocker password or a the startup key stored on the USB to increase security. Both require user input and could lead to locking outs when there is a lost PIN or a the loss of a USB.

Authenticating with BitLocker

We’ll begin with an overview of BitLocker methods of authentication since they could cause locks. The most popular method of authentication is through TPM, also known as the Trusted Protection Module (TPM) which is a microchip included in desktops and laptops. It is able to decrypt hard drives upon boot, and doesn’t require the use of the use of a PIN number, USB or another method of authentication. This method doesn’t need the user to do any action, and it’s the most secure.

Microsoft suggests using the TPM in conjunction with an BitLocker password or the startup key stored on USB to increase security. USB to increase security. Both require user input and could result in locking outs when there is a lost PIN or lost USB.

The Roots of BitLocker Recovery Mode

BitLocker Recovery Mode can happen due to a variety of reasons, such as:

Authentication errors:

Inadvertently forgetting the PIN
Incorrectly entering the PIN repeatedly (activating the anti-hammering mechanism in the TPM)
Utilizing a keyboard with an alternate layout that doesn’t make the correct PIN entry or doesn’t match the layout as expected by the pre-boot environment
In the event of losing the USB flash drive that contained the key to start

Boot/BIOS changes:

Switching off BIOS support to read USB devices within the preboot setting for USB-based keys
Change the BIOS boot sequence so that it can boot a different drive before your hard disk (such as setting a DVD or CD drive priority in the boot sequence)
Upgrades to critical components of the initial startup process like BIOS upgrades
Modifications in the master boot records (MBR) in the file
Modifications made to the boot manager (bootmgr) in the boot manager (bootmgr) on your disk
Inability to start a network device prior to booting from the hard disk
Utilizing the BIOS hotkey in the process of booting, you can change the boot sequence to something different from the hard drive

Software, hardware and firmware updates:

Inserting or removing a DVD/CD
Docking or unlocking a portal computer , if that computer had been (respectively) either docked or undocked after BitLocker had been activated.
The changes to the NTFS Partition table disk, including creating, deleting the primary partition, and resizing it.
Disabling, turning off the TPM, deactivating and clearing TPM
Option to update firmware ROM
Upgrading TPM firmware
Moving or adding hardware
The addition or removal of add-in cards (such as network or video cards) or upgrading the firmware of add-in card

Other causes:

Changes to the platform Configuration Registers (PCRs) utilized in TPM’s TPM validation profile
Hiding the TPM within the Operating System
Transferring the BitLocker-protected drive onto an alternative system
The motherboard is upgraded to a brand new model that includes an updated TPM
Failure to pass the TPM self-test
A BIOS or option ROM component that’s not in compliance with the applicable Trusted Computing Group standards for a computer client
Change the user authorization for the root storage key in the TPM to be a non-zero value
Enable the integrity check on code or activating test signing on Windows Bootmgr
Inserting, removing or completely depleting charge of an intelligent battery (portal computer)
By pressing either the F8 as well as the F10 keys during the boot procedure

What is PCR?

Many of the reasons are obvious, but changing the platform configuration Registers (PCRs) isn’t always well understood or set up correctly. In essence, these settings instruct the TPM chip on how to look for at the time of power-on to ensure that the disk is in fact booting on a legitimate machine that isn’t tampered with. When the check is completed successfully, it is then the TPM chip will let the keys go to enable BitLocker to start on the disk that has been encrypted.

When a device is encrypted it saves the your BIOS/UEFI setting. Any change to this state could trigger to trigger the BitLocker recover mode activate. This could be like choosing another boot device during start-up if it’s not properly configured in accordance with the requirements of your network of your business. E.g. when you typically boot from a Hard Disk but you need to boot from a USB/CD/NIC/USB because of a problem.