I've come across several computers where the C: drive is completely encrypted with BitLocker, but there are no Key Protectors like TPM or Recovery Password set up. This becomes a problem when a Windows Update sends the system into BitLocker Recovery mode, and now I'm left without a way to unlock them. Has anyone else experienced this? What steps can I take to address the issue?
4 Answers
Run the command `manage-bde -status` and check what the output reveals about the status of BitLocker. That might give you some insight into what's happening.
If you're not seeing any protectors as an admin, it likely means the drive isn't actually locked. It won’t trigger recovery prompts since there's no recovery password to ask for. When I set up BitLocker via SCCM, I always pre-provision it, so the OS files are deployed encrypted right from the start. It generates a master key, but that key is vulnerable until you add protectors. It sounds like that's what's missing in your case.
You should definitely be backing up your keys to Active Directory at the time of encryption and manage them from there, or consider using Intune for central management. It makes recovery a lot smoother.
I’m not the one enabling encryption, which is why this concerns me.
I did check—while the volume status shows it as fully encrypted, the protection status shows off. I’m worried I've missed something essential.
Is BitLocker actually enabled or just in the setup phase? I remember there being a stage where it appears ready but isn't fully deployed yet.
That could be it! The volume is marked fully encrypted, but the protection status shows as off. This has me a bit anxious seeing several computers stuck in BitLocker Recovery without any keys.
So even though it's fully encrypted, I really need to ensure protectors are added, right? I don't want more computers stuck in recovery.