none
bitlocker protection off and no key protectors, but drive is encrypted RRS feed

  • Question

  • Hi,

    I have a new laptop running windows 10 version 1709. I am new to bitlocker and am trying to ensure my drive is protected.  I have read the Windows 10 bitlocker guide, but I don't quite understand what I need to do to ensure my drive is fully protected.

    When I go to Settings -> Update & Security -> Device Encryption, I get the following:Device encryption Settings

    So Bitlocker is turned on, and the drive is encrypted, but when I click on "Sign in with a Microsoft account instead" it just takes me to my Settings -> Accounts -> "Your info" page, which shows my microsoft email account and that I am an Administrator. Clicking on "Manage my Microsoft Account" it takes me to the account.microsoft.com webpage where I see that Bitlocker is suspended:

    device info on MS Account

    When using the manage-bde command line utility to check the status of the OS volume, I get the following output:

    Microsoft Windows [Version 10.0.16299.431]
    (c) 2017 Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>manage-bde -status c:
    BitLocker Drive Encryption: Configuration Tool version 10.0.16299
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume C: [Windows]
    [OS Volume]
        Size:                 150.94 GB
        BitLocker Version:    2.0
        Conversion Status:    Used Space Only Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    XTS-AES 128
        Protection Status:    Protection Off
        Lock Status:          Unlocked
        Identification Field: Unknown
        Key Protectors:       None Found

    When I go to MS support I get the following instructions, but when I type "encryption" into search it comes up with "Change device encryption settings" in Settings, but not "Manage Bitlocker" as the instructions say.

    And when I go to "Device Encryption" in the Control Panel, it tells me to go to Settings -> System -> Device Encryption

    How do I ensure I have a recovery password and that this drive is fully protected?

    Thank you for any assistance.

    Andreas

    Tuesday, May 22, 2018 5:36 PM

Answers

  • Argh.

    I confused 2 parameters. Make it with

    manage-bde -protectors -add c: -rp

    • Proposed as answer by Dou Mohamed Wednesday, September 25, 2019 4:05 PM
    • Marked as answer by boffies Friday, September 27, 2019 6:09 AM
    Monday, May 28, 2018 5:59 AM

All replies

  • Device encryption is using bitlocker technology, but "is" not bitlocker.

    Please verify if your tpm chip is activated and ready for usage if it is (use tpm.msc to verify), use the command line to add a protector:

    manage-bde -protectors -add c: -tpm

    then, if successful, resume bitlocker protection:

    manage-bde -protectors -enable c:

    Tuesday, May 22, 2018 8:59 PM
  • Thank you Ronald.

    Using TPM.msc has shown me that my TPM is ready for use, but the firmware has a vulnerability, so I am busy updating the firmware. Surprised this was not picked up by Windows Update.

    Anyway, I wanted to ask if running the command lines above will also ensure a password is set?

    I suppose I have to clear the TPM after updating the firmware... I should do this before running the above command lines, and is there any risk of losing access to my data when doing so, since Bitlocker is currently encrypting my drive, but is not using the TPM?

    Thank you.


    • Edited by boffies Wednesday, May 23, 2018 8:53 AM
    Wednesday, May 23, 2018 8:50 AM
  • "running the command lines above will also ensure a password is set?" - no, you have the home edition and home does not feature passwords for bitlocker. In fact, it does not have bitlocker at all, but instead "bitlocker light" = "device encryption" = "bitlocker with reduced options". You cannot use a password but only the TPM.

    You could overcome that limitation by connecting your drive to a 2nd system that has BL and encrypt your drive there.

    Wednesday, May 23, 2018 9:00 AM
  • Thanks again Ronald.

    First question then regarding home edition with no password, is there a recovery key that I need to save somewhere?

    Second question:

    I have updated the firmware on my TPM and run the command lines on my OS drive.

    I have another drive with the exact same manage-bde -status output. When I run the first command-line against that, "manage-bde -protectors -add d: -tpm" it returns the following error:

    ERROR: Only the OS volume may be secured with the TPM.

    Does that mean I cannot change the protection level on any other volumes?


    Wednesday, May 23, 2018 3:02 PM
  • "is there a recovery key that I need to save somewhere?" - yes, it will be saved to your Onedrive automatically, if I am not mistaken. The URL should be http://onedrive.live.com/RecoveryKey 

    About other volumes: I would have to try that, but I have no home license right here on a device that entitles for device encryption. The TPM can only be used for OS volumes and I am not sure if dev Enc. allows encryption of non-OS drives.

    Wednesday, May 23, 2018 4:02 PM
  • This is a bit scary now, because following the link I got nothting:

    MS OneDrive

    When I go to the Control Panel Device Encryption it tells me I should back up my key, but gives me no method of doing this:

    recovery key in Device Encryption

    Thursday, May 24, 2018 5:11 PM
  • Ok, run

    manage-bde -protectors -get c:

    and share the output.

    Friday, May 25, 2018 6:56 AM
  • Here is the output:

    C:\WINDOWS\system32>manage-bde -protectors -get c:
    BitLocker Drive Encryption: Configuration Tool version 10.0.16299
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume C: [Windows]
    All Key Protectors

        TPM:
          ID: {A67ECC8E-00C9-4378-9E36-868F789E8869}
          PCR Validation Profile:
            7, 11
            (Uses Secure Boot for integrity validation)

    Friday, May 25, 2018 9:31 AM
  • There is simply no recovery key set, yet. I don't know why, but please try to set one:

    manage-bde -protectors -add c: -rk

    Friday, May 25, 2018 9:44 AM
  • Thanks Ronald. I got the following returned on that:

    ERROR: Parameter "-RecoveryKey" requires an argument.

    I don't know if I should be giving it a password or something. I tried to look at the docs for this. I couldn't find "RecoveryKey", but found "changekey" in https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-changekey

    That might be Windows Server docs and might not work for me.

    Upon closer inspection, my OneDrive does have the following file name in its root ".849C9593-D756-4E56-8D6E-42412F2A707B", without any file extension, but its size is 0KB.

    Should I just add an alphanumeric password argument on to that command line you've given me?

    Friday, May 25, 2018 2:42 PM
  • Argh.

    I confused 2 parameters. Make it with

    manage-bde -protectors -add c: -rp

    • Proposed as answer by Dou Mohamed Wednesday, September 25, 2019 4:05 PM
    • Marked as answer by boffies Friday, September 27, 2019 6:09 AM
    Monday, May 28, 2018 5:59 AM
  • First i made this in cmd:

    manage-bde -protectors -get c:

    and i've got like Mr.buffies:

    Volume C: [Windows]
    All Key Protectors

        TPM:
          ID: {A67ECC8E-00C9-4378-9E36-868F789E8869}
          PCR Validation Profile:
            7, 11
            (Uses Secure Boot for integrity validation)

    Then i've tried to do like what you said:

    manage-bde -protectors -add c: -rp

    and i've got like this:

    Key Protectors Added:

        Numerical Password:
          ID: {...}
          Password:
            xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

    ACTIONS REQUIRED:

        1- Save this numerical recovery password in a secure location away from your computer:

        xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

        To prevent data loss, save this password immediately. This password helps ensure that you can         unlock the encrypted volume.

    I think it works. Thanks Mr.Ronald.

    • Edited by Dou Mohamed Wednesday, September 25, 2019 4:39 PM
    Wednesday, September 25, 2019 4:19 PM