Tip of the Day: What Could Cause Bitlocker to Start in Recovery Mode?


Today’s Tip… What Could Cause Bitlocker to Start in Recovery Mode?

clip_image001

We see this question pop up frequently enough that I thought it would be beneficial to send this out.

  • Changing any boot configuration boot entry data type settings with the exception of the following:
    • Description
    • RAMDiskImageOffset
    • PassCount
    • TestMix
    • FailureCount
    • TestToFail

Note: When installing a language pack, if you select to apply language settings to all users and system accounts through the wizard, it will modify the BCD setting. It is recommended to suspend Bitlocker before installing a language pack.

  • Changing the BIOS boot order to boot another drive ahead of the hard drive
  • Having CD or DVD drive ahead of the hard drive in the BIOS and inserting or removing a CD/DVD
  • Failing to boot from a network drive before booting from the hard drive
  • Docking or undocking a portal computer if the computer was (respectively) undocked or docked when Bitlocker was turned on
  • Changes to NTFS partition table on the disk including:
    • Creating
    • Deleting
    • Resizing primary partition
  • Entering PIN incorrectly too many times, activating the anti-hammering logic of the TPM
  • Turning off BIOS support for reading USB devices in the pre-boot environment if you are using USB-based keys instead of PIN
  • Turning off, disabling, deactivating, or clearing the TPM
  • Upgrading critical early startup components such as BIOS upgrades
  • Forgetting the PIN with PIN authentication
  • Updating option ROM firmware
  • Upgrading TPM firmware
  • Adding or removing hardware
  • Removing, inserting, or completely depleting the charge on a smart battery (portal computer)
  • Changes to the master boot record (MBR) on the disk
  • Changes to the boot manager (bootmgr) on the disk
  • Hiding the TPM from the operating system
  • Using a different keyboard that doesn’t enter the PIN correctly or one that doesn’t map as assumed by the pre-boot environment
  • Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile
  • Moving the Bitlocker-protected drive to a different system
  • Upgrading the motherboard to a new one with a new TPM
  • Losing the USB flash drive containing the startup key with startup key authentication enabled
  • Failing the TPM self-test
  • Having a BIOS or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer
  • Changing the usage authorization for the storage root key of the TPM to a non-zero value
  • Disabling the code integrity check or enabling test signing on Windows Bootmgr
  • Pressing the F8 or F10 key during the boot process
  • Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards
  • Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive

Reference: https://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx#BKMK_examplesosrec

Comments (1)

  1. Jonathan Conway says:

    Hi – I’m surprised that “Interactive logon: Machine account lockout threshold” Group Policy setting isn’t listed here as a potential cause of BitLocker Recovery.

    It’s included in the Windows 10 Security Baseline provided by Microsoft Security Compliance Manager so is likely to be configured for a lot of customers.

    https://technet.microsoft.com/en-gb/itpro/windows/keep-secure/interactive-logon-machine-account-lockout-threshold

Skip to main content