Scenario 11: Recovering Data Protected by BitLocker Drive Encryption (Windows 7)

  • Article

Applies To: Windows 7

This scenario describes the process for recovering your data after BitLocker has entered recovery mode. BitLocker locks the computer when a disk encryption key is not available. The following is a list of likely causes:

  • An error related to TPM validation occurs on an operating system drive.

  • The password for a BitLocker-protected fixed data drive is forgotten.

  • The smart card used to lock a removable data drive is lost.

When recovery of a drive is necessary, you must use the recovery key from a USB flash drive, type a recovery password, or have a data recovery agent recover the drive. When the operating system drive needs to be recovered, you will use a recovery console session running from the BIOS to enter recovery information. Some systems use the function keys to enter digits in this environment. In this case, F1 through F9 represent the digits 1 through 9, and F10 represents 0.

Warning

When in the operating system drive recovery console session, the accessibility features of Windows are not available. If you require accessibility features, consider what you will do in the event of recovery. For example, you might consider data recovery agents to support drive recovery or designate a trusted person who can store the recovery key and provide it if necessary.

Before you start

To complete the procedures in this scenario:

  • You must be able to provide administrative credentials.

  • You must have a USB flash drive with the recovery key.

  • You must have the recovery password.

  • Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive Encryption Step-by-Step Guide for Windows 7.

To test data recovery on a operating system drive

  1. Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. Type bcdedit /debug on to enable kernel debugging for the operating system drive.

  3. Close all open windows.

  4. If the USB flash drive that contains your recovery key is inserted into the computer, use the Safely Remove Hardware icon in the notification area to remove it from the computer.

  5. Click Start, and then click Shut Down to turn off your computer.

    When you restart the computer, you will be prompted for the recovery password, because the startup configuration has changed since you encrypted the drive.

  6. Turn on your computer.

  7. The BitLocker Drive Encryption Recovery Console will appear.

  8. You will be prompted to insert the USB flash drive that contains the recovery key.

    • If you have the USB flash drive with the recovery key, insert it, and then press ESC. Your computer will restart automatically. You do not need to enter the recovery password manually.

    • If you do not have the USB flash drive with the recovery key, press ENTER. You will be prompted to enter the recovery password. Type the 48-digit recovery password, and then press ENTER.

  9. After the drive has been unlocked, the operating system will start. To restore your computer to its normal operating profile, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. Type bcdedit /debug off to disable kernel debugging for the operating system drive.

To test data recovery on a password-protected fixed data drive

  1. Click Start, and then click Computer to display the drives on the computer.

  2. Double-click a BitLocker-protected data drive. The BitLocker Drive Encryption dialog box is displayed, prompting you to type your password to unlock the drive.

  3. Click I forgot my password. You are prompted to Unlock this drive using your recovery key. Select either Type the recovery key or Get the key from the USB flash drive, depending on which recovery method was configured for the drive.

  4. After providing the recovery key, the drive is unlocked. You can then click Manage BitLocker, and reconfigure the unlock method as necessary.

    You will be able to use the new unlock method to unlock the drive the next time the drive is locked.

By completing the procedures in this scenario, you have used data recovery to reestablish access to a BitLocker-protected drive.