For more information about how to use BitLocker, visit the following Microsoft Web site:. To install the BitLocker Recovery Password Viewer tool successfully, the installation program must update the Active Directory configuration database. The installation program adds the following two attributes to AD DS if these two attributes are not already present.
LanguageID for English is The installation program updates all language IDs to let you run the BitLocker Recovery Password Viewer tool under all available languages.
These changes to AD DS affect every domain in the forest. You must have Enterprise Administrator rights to modify the Active Directory configuration database. However, after the BitLocker Recovery Password Viewer tool has been installed in a forest, you only have to have Read permissions to the Active Directory configuration database for later installations of the BitLocker Recovery Password Viewer tool.
By default, all domain users have Read permissions for the Active Directory configuration database. To summarize, you must have the following rights to install the BitLocker Recovery Password Viewer tool:.
These rights let you modify the Active Directory configuration database. When you next install the BitLocker Recovery Password Viewer tool, you must have the rights of a domain user together with local Administrator rights to the computer on which you want to install the BitLocker Recovery Password Viewer tool. Before you run this tool on the domain for the first time, run the following command from your Windows system folder as an Enterprise Administrator:. Use the following information to help troubleshoot installation error messages that you may receive when you install the BitLocker Recovery Password Viewer tool: Error message 1.
You must install the Windows Vista-based version of the tool on Windows Vista-based computers. Error message 2. You receive this error message if you do not have sufficient rights to install the BitLocker Recovery Password Viewer tool on a Windows XP-based computer. You must have local Administrator rights to install this tool. Error message 3. Cannot connect to the domain controller. You must be logged in as a domain user with a connection to the network.
The computer is not connected to the network, or the computer cannot communicate with the domain. You do not have permissions to perform this install. Enterprise administrative rights are required. You may receive this error message when you try to install the first instance of the BitLocker Recovery Password Viewer tool in a forest.
Also, you must have Read and Write permissions to the parent containers of these objects in the Active Directory configuration database. By default, members of the Enterprise Administrators group have Read and Write permissions to these objects. Error message 5. You may receive this error message when you try to perform a second or later installation of the BitLocker Recovery Password Viewer tool in a domain.
Also, you must have at least Read permissions to the parent containers of these objects in the Active Directory configuration database. Click Start , click Run , type appwiz. In the Add or Remove Programs dialog box, click to select the Show updates check box. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
Entering the personal identification number PIN incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards. Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. Hiding the TPM from the operating system.
When implemented, this option can make the TPM hidden from the operating system. Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs. Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
For example, a non-compliant implementation may record volatile data such as time in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
Adding or removing add-in cards such as video or network cards , or upgrading firmware on add-in cards. Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence.
After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection.
Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control.
For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users people who call your helpdesk for the recovery password and administrators people who help the end user get the recovery password. The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
On the Start screen, type cmd. Recovery triggered by -forcerecovery persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices such as Surface devices , the -forcerecovery option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again.
For more information, see BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device. When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords?
How does your organization perform smart card PIN resets? You can use these best practices and related resources people and tools to help formulate a BitLocker recovery model. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage.
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.
Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery.
If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag, then it's easy for an unauthorized user to access the PC. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. However, this does not happen by default. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
Select the Do not enable BitLocker until recovery information is stored in AD DS check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
Yet, convenient as it is, it also brings some troubles to us. Noticing this, I decided to do what I can to help you get rid of BitLocker encryption related problems. Firstly , please stay calm and keep an optimistic attitude; this is often the key factor to success.
Free Download. Always remember that you still have chance to recover data from BitLocker encrypted hard drive. Now, let us get to know about how to get back lost files from BitLocker drive encryption and the causes for data loss problems caused by BitLocker.
Certainly, there are other methods for BitLocker drive encryption recovery — recover data from the BitLocker encrypted drive or recover BitLocker key lost accidentally. The first way is using third-party recovery program to perform BitLocker recovery. After downloading it, you should run it right away. Then, follow the recovery steps given below to get back data from BitLocker encrypted drive effectively.
They are suitable for you to recover data from different places. Specify the correct place here. Step 3: the software will show you the files it has found during the scanning process. You can browse them to find out whether your needed ones are included or not. Step 4: check the files you need and pick out all the data you want to recover.
Of course, you can choose to rely on BitLocker data recovery agent to recover important files from BitLocker encrypted drive. But, you must be prepared to pay a large amount of money for that once the recovery is done. Besides, if any private information is involved, this may lead to privacy leakage.
Click to tweet. Obviously, the direct reason is more and more users are stuck in data loss causes resulted from BitLocker drive encryption. Now, please follow us to see the 3 most common specific cases in which data are lost when BitLocker is turned on — check it out!
In fact, the BitLocker will not take effect immediately right after encryption was completed. Instead, you can access data in it as usual before a computer restart.
0コメント