Another Bitlocker key needed after motherboard replacement

[timeshifter]

I've read a few of the threads here about this and a few MS articles. Still need a little help.

Customer had a desktop motherboard replaced by Dell under warranty. Now upon bootup it asks for the Bitlocker key. They have no idea what it is. I've looked in their Microsoft account(s) and there is no sign of it. Looked at OneDrive online and was excited to see it looked to be created at the time the system was originally installed, but there were absolutely 0 files. I also looked through some of the thumb drives and hard drives they have but no sign of it there.

They've got a couple of decent backups and I'm about ready to do a N&P. But I hate giving up.

A couple of questions:

What will the filename of the copy of the key look like? Do you get to name it yourself, is the filename automatically assigned, etc?

Are you forced to save it to a file / drive or can you just have it save to the MS account?

Also, would be it be saved in the normal /Users/Name/Documents or somewhere? If so I might be able to pull it from a backup.

 

[nlinecomputers]

It's not saved as a file. It's stored in the Microsoft account or in Azure Active Directory if they have an Office 365 account.

 

[nlinecomputers]

 

[timeshifter]

It's not saved as a file. It's stored in the Microsoft account or in Azure Active Directory if they have an Office 365 account.

Isn't it sometimes saved on a flash drive?

 

[nlinecomputers]

Isn't it sometimes saved on a flash drive?

Only if the user went out of their way to do so. Its an extra step and Only offered if they initiate the encryption. If it device encryption that is automatically and silently setup on creating a Microsoft Account.

 

[NviGate Systems]

I think it was mentioned too that it's the first MS Account that is used. So if you setup a MS Account but then later added anther account and deleted the old one, your new MS Account won't have the info.

 

[Diggs]

I'm not fully versed on Bitlocker but obviously need to be as more people with TPM 2 have Bitlocker turned on and don't realize it. How does Bitlocker handle external drives and cloud files (Ondrive, iCloud, Google Drive, Dropbox, etc.) Is everything in the cloud also encrypted?

 

[nlinecomputers]

I'm not fully versed on Bitlocker but obviously need to be as more people with TPM 2 have Bitlocker turned on and don't realize it. How does Bitlocker handle external drives and cloud files (Ondrive, iCloud, Google Drive, Dropbox, etc.) Is everything in the cloud also encrypted?

External drives are not encrypted unless you directly turn that on, which is only supported in PRO. Bitlocker encrypts the entire drive so any files on the system are encrypted but while IN WINDOWS those are decrypted as you access them. For example, if you plug up a flash drive and copy a file off of your encrypted drive IN WINDOWS the files are not encrypted on the flash drive. Files that sync from your PC up to a cloud service are the same way and are not encrypted. Of course, most cloud services have some kind of server-level encryption in place to protect the file they host from hackers but that is obviously not related to your local BitLocker encryption.

 

[nlinecomputers]

BitLocker, the full version that ships with Windows Pro, can only be manually enabled. And it is granular. You can choose to encrypt the whole drive or only a file folder.

Device Encryption comes with Windows Home and Pro (if the system is not connected to a domain or AAD) It is Bitlocker but is limited to only full device encryption and only if the device is a Laptop(I believe that Windows 11 is going to change that to add desktops as well), with a TPM module, and SSD boot drive and a Microsoft Account is required. Note that OEMs can disable this but most don't and I think that Microsoft is now requiring it on Windows 11 no exceptions. So you are going to see this a lot more.

The full version does not need a TPM module (if you lack one then you must have a USB key plugged in or you have to type in the 25key passcode on every bootup!) nor does it require a Microsoft account but it will force you to either use an M$ account, make a USB pass key, store the key as a file on an external drive, or print the recovery key on paper. PICK ONE.

 

[alexsmith2709]

I saw you reacted to my post here https://www.technibble.com/forums/t...ker-key-after-update.87310/page-2#post-724180 I guess this didnt help in your situation? A BIOS downgrade may be worth a shot

 

[timeshifter]

I saw you reacted to my post here https://www.technibble.com/forums/t...ker-key-after-update.87310/page-2#post-724180 I guess this didnt help in your situation? A BIOS downgrade may be worth a shot

Thanks for reminding me about that. I saw that thread and a few others and read through them before posting my thread. At the time I thought I'd be finding a simpler solution and didn't see how that would apply.

Still not sure it will since it's got a new motherboard which apparently triggered this issue. BUT, maybe a new motherboard but the same BIOS version as the old one might not trigger it. Worth a shot. Thanks!

 

[nlinecomputers]

It's not going to work. You are being prompted because the decryption key is stored in the TPM module of the old motherboard. In @alexsmith2709 case the TPM didn't change just some bug in the newer BIOS prevented Windows from accessing it on boot up. This motherboard does not have the key so no amount of BIOS musical chairs is going to fix it. If you have access to the old motherboard and it is bootable you can use it to boot up the system and get a copy of the key. Otherwise, you need to find it in the M$ account or you are f'd.

 

[Diggs]

I've just never seen file access security outside of the Windows OS to be an issue and the need for Bitlocker, and in most cases accidental Bitlocker, to be totally unneeded and unwanted. (But then again, I lead a sheltered life here in the residential world and may have not thought this through all the way.)

 

[timeshifter]

That makes sense. So I won't worry about trying new BIOSs.

The machine was installed in January 2020. I helped with getting Quicken converted and running but don't recall if I did the OOBE, I think they had already done that before I came over. I've checked both email addresses they have and ended up on a MS page that clearly stated that there were no Bitlocker keys for those accounts. In fact, I even saw the PC listed in his account, no Bitlocker key. I'm going to check again.

 

[alexsmith2709]

If you cant find the key, i guess the only option is N&P. https://www.dell.com/support/kbdoc/...-a-recovery-key-and-you-cannot-locate-the-key suggests an N&P is the only option. You could ask them if they printed anything during the setup process as doesnt bitlocker give you the option to print the key as well as save it somewhere?

 

[Sky-Knight]

If you do a mobo swap, you also have to move the TPM module to maintain access to the drive. If the TPM cannot be moved, and you do not have the recovery key... you're formatting the system.

The recovery key can be exported via powershell, something that I'm looking into doing via my RMM so I have those logged no matter what. In the meantime I'm taking ownership of new installs via a personal Microsoft account for each client I'm managing to keep them all in a good place.

But yeah, this new encrypted world is going to make repairs a giant pain in the rear, because mainboard death while unprepared now means lost data.

 

[nlinecomputers]

If you cant find the key, i guess the only option is N&P. https://www.dell.com/support/kbdoc/...-a-recovery-key-and-you-cannot-locate-the-key suggests an N&P is the only option. You could ask them if they printed anything during the setup process as doesnt bitlocker give you the option to print the key as well as save it somewhere?

That's the case on a user initiated creation of a Bitlocker drive. But it is not the case for the limited version that they create on first bootup. That Microsoft Account they force clueless end users to create? That's the account that has the key.

 

[timeshifter]

So the key HAS to be in a Microsoft account? Our problem is then just that they must have used an account that they're not aware of?

It's Windows 10 Home if that makes a difference.

 

[nlinecomputers]

So the key HAS to be in a Microsoft account? Our problem is then just that they must have used an account that they're not aware of?

It's Windows 10 Home if that makes a difference.

Yes it has to be that. Windows home only supports Device Encryption not full Bitlocker. Device Encryption doesn't give the end user an option during OOBE for anything else. After it is up and running you can add other options like USB key or printout but only techs do that.

 

[timeshifter]

Just thought of something. As I mentioned they have decent backups. Actually a Veeam image backup and a Windows Image backup and loose files too. Was thinking of a way to tell what the Microsoft account email address was by browsing the backups. Can't think of a way to do that. BUT, I suppose I could restore one of the images to a different computer, boot it up and try to log on?

edit: come to think about it more, I can't think of a suitable computer I have lying around... is there a way to tell the name of the users MS account from an image backup? Is it in the registry somewhere?