none
Bitlocker - Failed to unlock with this recovery key

    Question

  • Hi All,

    I wanted to make an extra data partition on my Windows 10 Pro domain joined Bitlocker encrypted laptop. Therefore I unencrypted it completely. After Gparted had made the extra partition, I restarted the machine and formatted the extra partition (In below dump volume D:). All looked OK.

    So I started Bitlocker encryption from the Control Panel. I choose full encryption. After the initialization the laptop restarted. But after the reboot, Grub (Linux boot menu) failed. It searched for the boot files on the wrong Linux partition. Anyway, after fixing the boot menu, I could choose the Windows 10 boot again. It asked for the PIN. After entering it, it asked for the recovery key. I checked AD for the recovery key. Indeed a new key was written to AD. Key ID, creation date and time are correct. But on entering the key I get "Failed to unlock with this recovery key error" message.

    "Manage-bde -status" reports the following:

    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: [Label Unknown]
    [Data Volume]

        Size:                 Unknown GB
        BitLocker Version:    2.0
        Conversion Status:    Unknown
        Percentage Encrypted: Unknown%
        Encryption Method:    XTS-AES 128
        Protection Status:    Unknown
        Lock Status:          Locked
        Identification Field: Unknown
        Automatic Unlock:     Disabled
        Key Protectors:
            Numerical Password
            TPM And PIN

    Volume D: [Data]
    [Data Volume]

        Size:                 227.49 GB
        BitLocker Version:    None
        Conversion Status:    Fully Decrypted
        Percentage Encrypted: 0.0%
        Encryption Method:    None
        Protection Status:    Protection Off
        Lock Status:          Unlocked
        Identification Field: None
        Automatic Unlock:     Disabled
        Key Protectors:       None Found

    Please advise if there is anything that can be done to get access to the partition again.

    Thanks in advance!

    Johan

    Wednesday, February 22, 2017 12:34 AM

All replies

  • Hi Johan,

    Didn't your store the recovery key for locally or print it out?

    Firstly, make sure your environment meet the following conditions:

    • The domain must be configured to store BitLocker recovery information.
    • The computers protected by BitLocker must be joined to the domain.
    • BitLocker Drive Encryption must have been enabled on the computers.

    If yes, follow these steps to get the recovery key:

    1. In Active Directory Users and Computers, locate and then click the container in which the computer is located.

    2. Right-click the computer object, and then click Properties.

    3. In the Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the particular computer.

    Then copy the recovery passwords for a computer:

    1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.

    2. On the BitLocker Recovery tab of the Properties dialog box, right-click the BitLocker recovery password that you want to copy, and then click Copy Details.

    3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 23, 2017 6:51 AM
    Moderator
  • Your recovery key does not work for some reason and you already checked that the key ID in AD is matching the requested key ID. So all you can do is try from another windows instance: boot setup (win10 1607), when the setup  screen shows, press shift F10 and a command line will appear. There, identify how setup has enumerated the system drive (which drive letter has it assigned to what you know as c:) for example by using the diskpart command  - normally, it would be d:. Best would be to run manage-bde -status c: and ...d: and ...e: for all partition viible so that you see the identifier and know which partition to work on.

    manage-bde -unlock x: -rk 213213-2312312...yourrecoverykey_here...

    (exchange x: for your system drive's letter).

    If that does not work, you will need to resort to your latest backup.

    Saturday, February 25, 2017 1:10 PM
  • Hi Ronald,

    Thanks for your reply!

    I tried the manage-bde -unlock option, but this also gave the same error. So indeed I gave up, and went for the back-up option. I repeated the whole exercise and this time all went fine!

    Kind regards, Johan

    Monday, February 27, 2017 9:51 AM
  • Hi Ronald,

    Thanks for your reply!

    I tried the manage-bde -unlock option, but this also gave the same error. So indeed I gave up, and went for the back-up option. I repeated the whole exercise and this time all went fine!

    Kind regards, Johan

    jog,

    Have you checked my post?


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 27, 2017 10:08 AM
    Moderator
  • I've just hit a very similar scenario. I have a dual windows 10 boot and booted from the first boot option and started a bitlocker encryption on C: I elected to run the verify first so I don't think the drive is even encrypted yet but I'm being asked for the recovery key which I have but that fails to be recognised. So I booted from the other copy of the OS, this boots OK but from within windows I'm asked for the key to access the other partition. Again the key is not accepted.

    Here is the status:-

     

     

    Microsoft Windows [Version 10.0.17134.285]

    (c) 2018 Microsoft Corporation. All rights reserved.

     

    C:\Windows\system32>Manage-bde -status

    BitLocker Drive Encryption: Configuration Tool version 10.0.17134

    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

     

    Disk volumes that can be protected with

    BitLocker Drive Encryption:

    Volume D: [Label Unknown]

    [Data Volume]

     

        Size:                 Unknown GB

        BitLocker Version:    2.0

        Conversion Status:    Unknown

        Percentage Encrypted: Unknown%

        Encryption Method:    AES 128

        Protection Status:    Unknown

        Lock Status:          Locked

        Identification Field: Unknown

        Automatic Unlock:     Disabled

        Key Protectors:

            TPM

            Numerical Password

     

    Volume C: []

    [OS Volume]

     

        Size:                 245.85 GB

        BitLocker Version:    None

        Conversion Status:    Fully Decrypted

        Percentage Encrypted: 0.0%

        Encryption Method:    None

        Protection Status:    Protection Off

        Lock Status:          Unlocked

        Identification Field: None

        Key Protectors:       None Found

     

    Volume F: [HDDRECOVERY]

    [Data Volume]

     

        Size:                 9.80 GB

        BitLocker Version:    None

        Conversion Status:    Fully Decrypted

        Percentage Encrypted: 0.0%

        Encryption Method:    None

        Protection Status:    Protection Off

        Lock Status:          Unlocked

        Identification Field: None

        Automatic Unlock:     Disabled

        Key Protectors:       None Found

     

     

    C:\Windows\system32>

    • Edited by DaveWat Saturday, September 15, 2018 6:12 PM
    Saturday, September 15, 2018 6:06 PM
  • The output of

    manage-bde -protectors -get d:

    will give you the recovery key ID for d:. See if your key is for that ID.

    Monday, September 17, 2018 7:06 AM