Home Applications Security Data At Rest (DAR) BitLocker Recovery

BitLocker Recovery

What triggers a BitLocker Recovery?

Triggers for BitLocker Recovery when starting the computer often mean BitLocker is working as designed. The issue may need to be isolated to one of the following causes:

  • Changes to Windows core files
  • Changes to BIOS
  • Changes to the TPM
  • Changes to encrypted volume/boot record
  • Failure to use correct credentials
  • Changes in hardware configuration
This image has an empty alt attribute; its file name is bitlocker-recovery.png
Example – BitLocker Recovery Prompt

WARNING: If the Trusted Platform Module (TPM) and BitLocker is enabled on a Dell system and the motherboard is replaced due to a No Power on Self-Test (POST) issue. You will be prompted to enter the BitLocker Recovery key upon rebooting to the Operating System.

RECOMMEND: If possible, it is recommended that you Suspend-BitLocker before making any of the above changes to your computer.

Service Desk and Local IT admins

WARNING: Query a BitLocker Recovery ID will trigger a BitLocker Recovery Key rotation policy. There for make sure the system remains online for a couple hours to allow the system enough time to escrow the new key to the database.

In order to access the helpdesk page, the user must be part of one of the local DAR admins groups under “OU=DaR admin groups,OU=Groups,OU=ITSOT,OU=DI,DC=gs,DC=doi,DC=net“. All local COUAs should be able to add/remove/modify their own groups. Make sure you are accessing the groups under “OU=DaR admin groups,OU=Groups,OU=ITSOT“. Trying to modify the DAR groups under the eAD OU will not work.

Open any Web Browser, copy and paste the following link: https://iinsxfcmrpt02.doi.net/HelpDesk/KeyRecoveryPage.aspx or Click on the link below.

https://iinsxfcmrpt02.doi.net/HelpDesk/KeyRecoveryPage.aspx

If prompted, enter your AD credentials.

Input at least the first eight characters of the “Key ID” and select an option for the “Reason for Drive Unlock,” all other fields are optional and do not need to be filled out.

AVOID: Entering a User Domain and User ID.

Example – Input Recovery ID

Self-Recovery for End User


https://iinsxfcmrpt02.doi.net/SelfService/Home/Notice

  1. Open web browser on a separate system and browse to  https://iinsxfcmrpt02.doi.net/SelfService/Home/Notice
This image has an empty alt attribute; its file name is bitocker-UA.png
  1. Click the check box for “I have read and understand the above notice”, and then click continue
  2. Enter the Recovery Key ID from the blue BitLocker screen and select a reason, then click “get Key”
This image has an empty alt attribute; its file name is recovery-Key.png

Enter the resulting recovery key from the self-recovery website onto the system needing recovery

This image has an empty alt attribute; its file name is recovery-key-entered.png

System should now boot to the normal windows log in screen

Comments are closed.