Share via

Bitlocker recovery after Linux install with Windows 11 no Microsoft Account

Anonymous
2022-01-31T13:54:51+00:00

Hello,

Please read the two questions in the end.

I have a laptop (Fujitsu Lifebook U7411) with Windows 10 preinstalled from factory. After the first boot, just defined an user and resized the factory Data partition to free space for a Linux partition. Meanwhile upgraded to Windows 11, and after a couple of days decided to install Ubuntu 20.04 LTS in the free partition, with a dual boot configuration, using GRUB as the boot manager.

Since the Linux installation the PC can not boot Windows, it shows a Bitlocker screen and asks for a password. The two Windows partitions are locked by Bitlocker and encrypted.

I did a little research and almost every answer in the Microsoft Community points to this article: https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6

None of the previous article options is helpful:

  1. In your Microsoft account**:** I never signed up with a Microsoft Account in this machine.
  2. On a printout: Windows was preinstalled from factory, never touched any Bitlocker configuration until I can across this problem.
  3. On a USB flash drive: Same answer as in 2.
  4. In an Azure Active Directory account: Never logged in to an organization account.
  5. Held by your system administrator: I do not have a system administrator, I am the only person using the laptop since unboxing.

I tried some advanced options using the manage-bde command, from the Advanced Recovery options Command Line:

  1. Option manage-bde autounlock, just tells the drive is locked.
  2. Running command manage-bde C: -protectors -get prints two key protectors (TPM and Numerical Password), but just the ID's, no passwords.

Finally, I tried modifying some BIOS settings:

  1. Enabling and disabling TPM, does not work.
  2. Tried to turn of secure boot, the BIOS does not allow to change it. I tried to set the BIOS supervisor password, but even that did not unlock the secure boot disable.
  3. In the boot menu and BIOS, put the Windows Boot Manager first, did not work.
  4. Boot Windows from GRUB, does no work.
  5. All the previous options arranged in all possible combinations, did not work.

Questions:

  1. Because Windows was preinstalled from factory, it is possible that Bitlocker was activated by the OEM and the password was neglected and never shipped with the laptop? (I looked the laptop box and instruction manual, no password there).
  2. It is possible to unlock Bitlocker using the TPM? If so, how can I proceed? If not, what options have I available at this point?

Thank you for your time.

Windows for home | Windows 11 | Recovery and backup

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-04-15T16:51:04+00:00

    Bitlocker detects that it has been started by something else than UEFI. Go to the UEFI settings ("BIOS") and set Windows as first boot option and start again. Windows 11 will start normally. Then you can basically:

    1. Disable Bitlocker, remove encryption and set grub2 again as first boot option
    2. Extract the encryption key and try again with the dialog you have seen.

    Option 1 works, but you don't have Bitlocker encryption in place. Option 2 might work, I have not tried it further, since I do not consider having the decryption keys stored in the TPM to be secure (but it is still considered to be state of the art...).

    Was this answer helpful?

    4 people found this answer helpful.
    0 comments
  2. LightJack 05 2,575 Reputation points Volunteer Moderator
    2022-01-31T16:16:19+00:00

    Hi,

    if you log in to a PC with an MS Account during setup that has TPM and Secure Boot enabled, Windows will automatically enable Device Encryption (The setting can be found under: Settings>Update & Security>Device Encryption)

    Windows will save the recovery key in your MS account: https://account.microsoft.com/devices/recoverykey

    This fooled me too the first time I noticed it. If your key is not saved in there, you probably have to reinstall Windows.

    Regards,

    LightJack

    Edit: Once some security configuration is changed, BitLocker will lock the drive until the correct recovery key is entered. Unfortunately at this point there is no way to regain access except for entering this key.

    I also want to emphasize that this is the reason we make backups of our data. Whether its encryption or a drive failure, this data loss can be prevented with an offsite backup.

    Encryption is designed to protect the data from unauthorized access. There is no way (that can be performed in a reasonable amount of time) to unlock the drive. Sometimes returning the BIOS configuration to the state they were in during the windows setup and then booting windows directly from the UEFI and not GRUB works, but this has mostly been fixed.

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  3. Anonymous
    2022-01-31T16:03:05+00:00

    Hi mariner blue, thank you for your answer.

    I have a lockscreen password, but the BitLocker screen asks a numerical password, while my lockscreen is alphanumerical.

    Regarding the three points you mentioned.

    1. As I said, since the first time I hit the BitLocker screen I was not allowed to write any characters in the BitLocker password field, only numbers. Besides the user password I never created other password in this laptop. That is why I asked if it would be possible the OEM activating BitLocker from factory and neglecting the password.

    Additionally, meanwhile, because I have Ubuntu working in the machine, I tried to mount the Windows partitions using dislocker. I tried with it by running``` dislocker -r -V /dev/nvme0n1p4 -u<WINDOWS_USER_PASSWORD> -- /media/bitlocker``` (also with sudo) my Windows user password and not succeeded.

    1. I am almost sure nobody activated BitLocker since unboxing, I am the only person using the laptop. But from your answer, when you say "you personally would have had access to the password or you would have never gotten passed the lockscreen long ago.", are you referring to the user password?
    2. As far as I can tell, nobody used this laptop except me.

    Regarding Microsoft Account, this account I am using is my organization account. I tried to use it with the laptop, but maybe because I have a federated login, it never worked with the device, only through the web browser.

    The problem is obviously that I have important work in this drive and I do not have a backup. I already phoned Fujitsu support to check if it would be possible that this was activated before shipping. I am waiting for their answer. Next step will be to uninstall Ubuntu, but because it still can see the partitions I am trying to find alternatives.

    The TPM could be used for unlocking?

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  4. Anonymous
    2022-01-31T17:36:31+00:00

    A puzzle for sure. However, I'm still thinking the recovery key is stored on somebody's Microsoft Account, unless your computer went rogue and locked up on its own. You say you're the only person who has used the computer since it was unboxed. Do you remember if you entered an email address or phone number when you enabled your lockscreen password? If you did, it might be worth a few minutes of your time to doublecheck that you don't have a Microsoft Account. See: You Forgot Your Microsoft Account Username.

    Sorry, but I'm not an expert on TPM. Hopefully, someone else can answer that for you.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  5. Anonymous
    2022-01-31T15:09:46+00:00

    Hi,

    Your issue is kind of intriguing because if BitLocker is enabled on a computer, then every time the computer is restarted, or turned on, or the lock screen is locked, a password is needed to get back in. It sort of sounds like you've never had a lockscreen password (or biometric password). Is that correct? If that's the case, I guess it's possible the protection system simply auto-locked when it detected what it considered some sort of unauthorized access.

    The article you linked to states that there are 3 common ways for BitLocker to start protecting your device:

    1. Some newer devices automatically enable it when you first use the computer, in which case the recovery key is automatically saved to your Microsoft Account before protection is activated. The password is not something that ships with the device. It's something a user creates and saves. It usually functions as the lockscreen password. It could be a Windows Hello PIN (or biometric).
    2. You or somebody else activated BitLocker on your computer and saved the key to their Microsoft Account. But still, you personally would have had access to the password or you would have never gotten passed the lockscreen long ago.
    3. A company or organization activated it. Same as #2 above.

    If you are certain that #2 and #3 couldn't have happened, then is it even remotely possible that you once had a Microsoft Account at some point on any machine? But again, I'm puzzled if you never had a lockscreen password. Nonetheless, you could try this: You Forgot Your Microsoft Account Username

    If not, then the article states that if you are unable to locate a the recovery key and are unable to revert the configuration change that might have caused BitLocker to lock, you’ll need to reset your device using one of the Windows Recovery Options. Unfortunately, resetting your device will remove all of your files.

    I don't know if removing the Linux installation would revert the computer back to a state where BitLocker would not auto-lock. It auto-locked because it detected some sort of unauthorized access and you posted that it was at that point.

    Was this answer helpful?

    0 comments