How to Recover an Encrypted Drive

Applies To: Microsoft BitLocker Administration and Monitoring

The Encrypted Drive Recovery features of Microsoft BitLocker Administration and Monitoring (MBAM) ensure the capture and storage of data and availability of tools required to access a BitLocker-protected volume when BitLocker goes into recovery mode, is moved, or becomes corrupted. Use the following procedures to recover a BitLocker-protected drive.

To Recover a Locked Drive

The Encrypted Drive Recovery features of Microsoft BitLocker Administration and Monitoring ensure the capture and storage of data and availability of tools required to access a BitLocker-protected volume when BitLocker goes into recovery mode. A BitLocker-protected volume goes into recovery mode when a PIN or password is lost or forgotten, or when the Trusted Module Platform (TPM) chip detects changes to the BIOS or startup files of a computer.

Use this procedure to access the centralized key recovery data system that can provide a recovery password, as long as a recovery password ID and associated user identifier are supplied.

1. Open a web browser and navigate to the Microsoft BitLocker Administration and Monitoring website.

2. In the navigation pane, click Drive Recovery. This opens the “Recover access to an encrypted drive” webpage.

3. Enter the Window Logon domain and user name of the user to view recovery information and the first eight digits of the recovery key ID to receive a list of possible matching recovery keys or the entire recovery key ID to receive the exact recovery key. Select one of the predefined options in the Reason for Drive Unlock drop-down list, and then click Submit.

   Note

   If you are an MBAM Advanced Helpdesk user, the user domain and user ID entries are not required.

4. Microsoft BitLocker Administration and Monitoring returns the following:

   1. An error message if no matching recovery password is found

   2. Multiple possible matches if the user has multiple matching recovery passwords

   3. The recovery password and recovery package for the submitted user

      Note

      If you are recovering a damaged drive, the recovery package option provides BitLocker with critical information necessary to attempt to recover the drive.

5. After the recovery password and recovery package are retrieved, the recovery password is displayed. To copy the password, click Copy Key, and then paste the recovery password into an email message. Or, to save the recovery password to a file, click Save.

6. When the user types the recovery password into the system or uses the recovery package, the drive is unlocked.

To Recover a Moved Drive

When you move an operating system drive that is encrypted by usingMicrosoft BitLocker Administration and Monitoring, the drive will not accept the PIN used in previous computer because of the change to the Trusted Platform Module (TPM) chip. You will need a way to obtain the recovery key ID to retrieve the recovery password in order to use the moved drive. Use the following procedure to recover a drive that has moved.

1. Start the computer that contains the moved drive in Windows recovery environment (WinRE) mode, or start the computer by using Microsoft Diagnostic and Recovery Tool 6.5 (MS DaRT).

2. As soon as the computer has been started with WinRE or MS DaRT, MBAM will treat the moved operating system drive as a data drive. MBAM will then display the drive’s recovery password ID and ask for the recovery password.

   Note

   In some cases, you may click I forget the PIN during the startup process and enter the recovery mode. This also displays the recovery key ID.

3. Use the recovery key ID to retrieve the recovery password and unlock the drive from the MBAM console website.

4. If the moved drive was configured to use a TPM chip on the original computer, you must take additional steps after unlocking the drive and completing the start process. In WinRE mode, open a command prompt and use the ‘manage-bde’ tool to decrypt the drive, this is the only way to remove the TPM plus PIN protector without the original TPM chip.

5. As soon as this is completed, start the system normally. The MBAM agent will now enforce the policy to encrypt the drive with the new computer’s TPM plus PIN.

To Recover a Corrupted Drive

To recover a corrupted drive protected by BitLocker, a Microsoft BitLocker Administration and Monitoring help desk user will need to create a recovery key package file. This package file can then be copied to the computer that contains the corrupted drive, and then used to recover the drive. Use the following procedure for the steps needed to do this.

1. To create the recovery key package necessary to recover a corrupted drive, start a web browser and open the MBAM console webpage.

2. Select Drive Recovery from the left-side navigation pane. Enter the user’s domain name, user name, reason for unlocking the drive, and the user’s recovery password ID.

   Note

   If you are a member of the Help Desk Administrators role, you do not have to enter the user’s domain name or user name.

3. Click Submit. The recovery key will be displayed.

4. Click Save and then select Recovery Key Package. The recovery key package will be created on your computer.

5. Copy the recovery key package to the computer that has the corrupted drive.

6. Open an elevated command prompt. To do this, click Start and type cmd in the Search programs and files box. Rightclick cmd.exe and select Run as Administrator.

7. At the command prompt, type the following:

   repair-bde <fixed drive> <corrupted drive> -kp <location of keypackage> -rp <recovery password>

   Note

   Replace <fixed drive> with an available hard disk drive that has free space equal to or larger than the data on the corrupted drive. Data on the corrupted drive is recovered and moved to the specified hard disk drive.

See Also

Other Resources

Operations for MBAM