Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 22, 2018 5:36 PM
Hi,
I have a new laptop running windows 10 version 1709. I am new to bitlocker and am trying to ensure my drive is protected. I have read the Windows 10 bitlocker guide, but I don't quite understand what I need to do to ensure my drive is fully protected.
When I go to Settings -> Update & Security -> Device Encryption, I get the following:
So Bitlocker is turned on, and the drive is encrypted, but when I click on "Sign in with a Microsoft account instead" it just takes me to my Settings -> Accounts -> "Your info" page, which shows my microsoft email account and that I am an Administrator. Clicking on "Manage my Microsoft Account" it takes me to the account.microsoft.com webpage where I see that Bitlocker is suspended:
When using the manage-bde command line utility to check the status of the OS volume, I get the following output:
Microsoft Windows [Version 10.0.16299.431]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>manage-bde -status c:
BitLocker Drive Encryption: Configuration Tool version 10.0.16299
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [Windows]
[OS Volume]
Size: 150.94 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: ** Protection Off**
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors: None Found
When I go to MS support I get the following instructions, but when I type "encryption" into search it comes up with "Change device encryption settings" in Settings, but not "Manage Bitlocker" as the instructions say.
And when I go to "Device Encryption" in the Control Panel, it tells me to go to Settings -> System -> Device Encryption
How do I ensure I have a recovery password and that this drive is fully protected?
Thank you for any assistance.
Andreas
All replies (12)
Monday, May 28, 2018 5:59 AM âś…Answered | 1 vote
Argh.
I confused 2 parameters. Make it with
manage-bde -protectors -add c: -rp
Tuesday, May 22, 2018 8:59 PM
Device encryption is using bitlocker technology, but "is" not bitlocker.
Please verify if your tpm chip is activated and ready for usage if it is (use tpm.msc to verify), use the command line to add a protector:
manage-bde -protectors -add c: -tpm
then, if successful, resume bitlocker protection:
manage-bde -protectors -enable c:
Wednesday, May 23, 2018 8:50 AM
Thank you Ronald.
Using TPM.msc has shown me that my TPM is ready for use, but the firmware has a vulnerability, so I am busy updating the firmware. Surprised this was not picked up by Windows Update.
Anyway, I wanted to ask if running the command lines above will also ensure a password is set?
I suppose I have to clear the TPM after updating the firmware... I should do this before running the above command lines, and is there any risk of losing access to my data when doing so, since Bitlocker is currently encrypting my drive, but is not using the TPM?
Thank you.
Wednesday, May 23, 2018 9:00 AM
"running the command lines above will also ensure a password is set?" - no, you have the home edition and home does not feature passwords for bitlocker. In fact, it does not have bitlocker at all, but instead "bitlocker light" = "device encryption" = "bitlocker with reduced options". You cannot use a password but only the TPM.
You could overcome that limitation by connecting your drive to a 2nd system that has BL and encrypt your drive there.
Wednesday, May 23, 2018 3:02 PM
Thanks again Ronald.
First question then regarding home edition with no password, is there a recovery key that I need to save somewhere?
Second question:
I have updated the firmware on my TPM and run the command lines on my OS drive.
I have another drive with the exact same manage-bde -status output. When I run the first command-line against that, "manage-bde -protectors -add d: -tpm" it returns the following error:
ERROR: Only the OS volume may be secured with the TPM.
Does that mean I cannot change the protection level on any other volumes?
Wednesday, May 23, 2018 4:02 PM
"is there a recovery key that I need to save somewhere?" - yes, it will be saved to your Onedrive automatically, if I am not mistaken. The URL should be http://onedrive.live.com/RecoveryKey
About other volumes: I would have to try that, but I have no home license right here on a device that entitles for device encryption. The TPM can only be used for OS volumes and I am not sure if dev Enc. allows encryption of non-OS drives.
Thursday, May 24, 2018 5:11 PM
This is a bit scary now, because following the link I got nothting:
When I go to the Control Panel Device Encryption it tells me I should back up my key, but gives me no method of doing this:
Friday, May 25, 2018 6:56 AM
Ok, run
manage-bde -protectors -get c:
and share the output.
Friday, May 25, 2018 9:31 AM
Here is the output:
C:\WINDOWS\system32>manage-bde -protectors -get c:
BitLocker Drive Encryption: Configuration Tool version 10.0.16299
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [Windows]
All Key Protectors
TPM:
ID: {A67ECC8E-00C9-4378-9E36-868F789E8869}
PCR Validation Profile:
7, 11
(Uses Secure Boot for integrity validation)
Friday, May 25, 2018 9:44 AM
There is simply no recovery key set, yet. I don't know why, but please try to set one:
manage-bde -protectors -add c: -rk
Friday, May 25, 2018 2:42 PM
Thanks Ronald. I got the following returned on that:
ERROR: Parameter "-RecoveryKey" requires an argument.
I don't know if I should be giving it a password or something. I tried to look at the docs for this. I couldn't find "RecoveryKey", but found "changekey" in /en-us/windows-server/administration/windows-commands/manage-bde-changekey
That might be Windows Server docs and might not work for me.
Upon closer inspection, my OneDrive does have the following file name in its root ".849C9593-D756-4E56-8D6E-42412F2A707B", without any file extension, but its size is 0KB.
Should I just add an alphanumeric password argument on to that command line you've given me?
Wednesday, September 25, 2019 4:19 PM
First i made this in cmd:
manage-bde -protectors -get c:
and i've got like Mr.buffies:
Volume C: [Windows]
All Key Protectors
TPM:
ID: {A67ECC8E-00C9-4378-9E36-868F789E8869}
PCR Validation Profile:
7, 11
(Uses Secure Boot for integrity validation)
Then i've tried to do like what you said:
manage-bde -protectors -add c: -rp
and i've got like this:
Key Protectors Added**:**
Numerical Password:
ID: {...}
Password:
xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx**
**
ACTIONS REQUIRED:
1- Save this numerical recovery password in a secure location away from your computer:
xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encrypted volume.
I think it works. Thanks Mr.Ronald.