(Closed) Is there a way to unlock a bitlocked hard drive using TPM in command prompt?
I had this problem once too... My drive got corrupted by bitlocker since I had controlled folder access on and I changed a registry value. however, if you still have access to cmd from windows recovery, you can still use manage-bde. Though I cannot test this since I won't use bitlocker again, I remember some things I did. It seems like BitLocker does have random issues like this once in a while.
Of course, the first thing you need to do is check your microsoft account for the key if your computer was linked to a microsoft account. If you can find it, use manage-bde -unlock <key> or putting the key into the bitlocker recovery dialogue. If your computer was a local account and/or you can't find the key in your microsoft account, follow the steps below.
There are two possible ways to recover a BitLocker protected drive that you don't have the key to. If you are familiar with the Command Prompt please follow these steps.
- Create a Recovery Drive from your manufacturer. For example, if you have a Surface, you will need to download the Surface Recovery Image from your OEM (Microsoft).
- Modify your BIOS (if needed) to enable USB boot and boot from the USB.
- Once you are booted from your Recovery Drive, access the Command Prompt, probably in Advanced Troubelshooting
- Try
manage-bde -off C: - If #4 fails, try
manage-bde -fr C:and restart to your primary startup disk.
If this doesn't work, enter Command Prompt again from the Recovery Drive and try manage-bde -changepin C:, manage-bde -changepassword C:, or manage-bde -changekey C:. You can also try manage-bde -autounlock C:.
If you are not familiar with the Command Prompt, you can try using GUI by creating a ready Installation of Windows on an external USB using Windows To Go. Then, you will need to boot from that drive and enter Control Panel. Then, if your primary startup disk shows up, try turning off BitLocker. You can also try using TPM.msc to clear, initialize, or turn off/on the TPM to try force BitLocker to recover. If your primary startup disk doesn't appear, go to Command Prompt and enter the following:
diskpart-
list diskand Find your Disk # sel disk #-
list parand note your Windows partition # -
sel par # assign letter=W
Then, go back to Control Panel and see if the GUI method works. You can also try
-
manage-bde -off W: manage-bde -fr W:manage-bde -changepin W:manage-bde -changekey W:-
manage-bde -changepassword W:
from Command Prompt within your ready installation of Windows on the external USB.
NOTE: You can get to WinRE (Windows Recovery) by pressing Shift or the hardware key combination provided by your OEM. Please read the Microsoft Documentation on WinRE and BitLocker for more. Here's the BitLocker link. Here's the WinRE Doc. WinRE might also be corrupt because of BitLocker, if it isn't you can also use this to access the Command Prompt. WinRE might automatically start upon two consecutive failed boot attempts. If you can access command prompt in Windows recovery, getting Windows on an external drive is not necessary unless you prefer GUI to Command Prompt. The time this happened to me, my Users directory was corrupted from bitlocker hence I could not run command prompt on the X: drive since there was no administrative user. To have the best chance of fixing your issue, an external drive is recommended.
For more documentation on manage-bde see this page from microsoft.
Good luck and hope this helps!
ku8zi
Updated on September 18, 2022Comments
-
ku8zi over 1 year
******************* Final Update at the bottom *******************
Long story short, I have made a really dumb mistake.
I thought I backed up my recovery key, but apparently I only backed up the result ofmanage-bde -protectors C: -getwhich only has a recovery ID and no key.
Also, there are no key protectors other than TPM.
But TPM does not seem to unlock the system drive automatically for some reason, and I cannot boot my laptop.Will there be any way to unlock my encrypted drive?
Edit 1
Since my C drive has OS and is locked, I am using a recovery drive which I created using a different PC to open a command prompt.
If I boot without the recovery drive, I get this screen:Windows failed to start. A recent hardware or software change might be the cause. To fix the problem: 1. Insert your Windows installation disc and restart your computer. 2. Choose your language settings, and then click "Next." 3. Click "Repair your computer." If you do not have this disc, contact your system administrator or computer manufacturer for assistance. Status: 0xc0210000 Info: A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.The suggested "Repair your computer." does not work because C is encrypted.
In my Dell UEFI Firmware Settings, Firmware TPM is enabled under Security tab.
Is there a way to make TPM autounlock my C drive using a third-party tool?
Edit 2
Here are some command results.X:\>manage-bde -status c: BitLocker Drive Encryption: Configuration Tool version 10.0.17763 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: [Label Unknown] [Data Volume] Size: Unknown GB BitLocker Version: 2.0 Conversion Status: Unknown Percentage Encrypted: Unknown% Encryption Method: XTS-AES 128 Protection Status: Unknown Lock Status: Locked Identification Field: Unknown Automatic Unlock: Disabled Key Protectors: TPM X:\>manage-bde -protectors c: -get BitLocker Drive Encryption: Configuration Tool version 10.0.17763 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: [Label Unknown] All Key Protectors TPM: ID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} PCR Validation Profile: 0, 2, 4, 11Just to be safe, I cloned my C drive using Clonezilla to an external drive.
Is there a way to verify this backup?
******************* Final Update *******************
Because I haven't found a way to decrypt my hard drive, I created a partition-to-particion backup using an external drive and formatted the original hard drive. Then, I reinstalled Windows, reconfigured, and enabled the Bitlocker. I tried to backup the recovery key, however, there was none. TPM locked hard drives do not have a recovery password. So, I added a "recovery password" to my hard drive to not make the same mistake again. Although some of the important files are lost, I have been keeping backups of all the critical data. I was fortunate.
For the people who want to prevent the mistake I made, here is a simple command that will add one more way to unlock your encrypted drive:
manage-bde -protectors -add c: -recoverypasswordJust make sure to create a proper backup when the recovery password is presented you.
Good luck to you all.