Why my surface pro asks for BitLocker recovery key?

Question

I have a latest Microsoft surface pro and would like to install a Linux system on it. There were some installation problem with the Linux and I gave up. But when I tried to perform normal booting, the BitLocker Recovery popped up every time and required me to input the Recovery key. However, I have never made any configurations on BitLocker and set any password. I just left it by default since using the surface pro.

My question is where I can retrieve the default recovery key and if not, how can I get back my data from the encrypted drive. Thank you so much.

score 10 · Answer 1 · 2018-05-21T02:45:07.460

What you are facing

Microsoft Surface line of devices comes encrypted either with BitLocker or Device Encryption (which is basically a non-customizable BitLocker). This encryption does not rely on a user password at all. (It could, but it doesn't.) Instead, it relies on a recovery key stored within a tamper-proof Trusted Platform Module (TPM) chip integrated into the device.

I also assume the Secure Boot is enabled on your Surface Pro. One of the thing that TPM and Secure Boot do is preventing unauthorized boot configuration modification. This is one of the things that can effectively stop bootkits (boot rootkits) and ransomware. When they determine that the boot path may have been compromised, TPM refuses to supply the BitLocker recovery key to the bootloader. (Nobody wants a bootkit to receive his/her recovery key.) Linux aficionados are already aware of both, because living in the Linux world takes a technically dedicated geek. So, when they install Linux, which definitely requires boot configuration changes, they disable BitLocker (and sometimes Secure Boot) in advance.

Make no mistake: People love all this; their data is much safer. The only exception is the journalist community who both love it and love throwing mud at it, because that's their job.

What to do now?

Fortunately, Microsoft has a safety measure in place in case your TPM fails: The recovery key that I mentioned earlier is generated during the out-of-box experience (OOBE) sequence when your Surface Pro is first turned on, and only if you choose to log in with a Microsoft account. Device Encryption does not get enforced without it. This recovery key is then uploaded to your Microsoft account and won't be deleted without your explicit command. You can find it using this URL:

https://account.microsoft.com/devices/recoverykey

That's as far as the default configuration of Microsoft goes. But if you enabled BitLocker yourself ... oh, well, never mind; you said you didn't.

With this key, you can boot Windows from the encrypted disk. From within Windows, you can disable BitLocker/Device Encryption and go about your business of installing Linux. But be advised: Linux means living on the cutting edge. If you don't have sufficient technical knowledge, some other technical difficulty may threaten your digital life. So, I suggest having backup in place.

Things you must not do

Do not try disabling or resetting TPM via UEFI. It won't grant you access. (Think of it this way: If your laptop was ever stolen, you wouldn't want the thieves to get any sort of access by a simple BIOS tweak, now do you?) If you do this, even if you can undo the configuration mismatch that has somehow come into effect, your TPM-based unique key will be lost forever.

Once a recovery key gets stored on a Microsoft account, it won't get deleted without explicit user command. The only other feasible scenario is user enabling BitLocker with his/her own settings, after logging into a local account. But the OP says it is not the case. — , May 20 '18 at 09:38
@harrymc You can backup the device’s BitLocker recovery key from within Windows. Since the author did not backup this key, they will be unable to retrieve the key, unless they linked their account to a Microsoft account. Surface Pro uses BitLocker, Device Encryption is limited to Windows 10 tablet devices, that do not support BitLocker — Ramhound, May 20 '18 at 10:38
Correct. Device Encryption is a feature of Windows 10 Home and only works when the device matches the InstantGo (formerly Connected Standby) requirements. One of them is that memory modules must be soldered to motherboard to prevent cold-boot attacks. Device Encryption activates itself the first time the user is logged onto Windows with a Microsoft account. — , May 20 '18 at 10:47
Thank you. I looked into it and recommend future readers to have a look at the article [How to backup BitLocker Drive Encryption Recovery Key in Windows 10](https://hardsoft-support.kayako.com/article/54-how-to-backup-bitlocker-drive-encryption-recovery-key-in-windows-10). — harrymc, May 20 '18 at 10:56
Nice answer but just one problem : the guy says he hasn't used BitLocker so there is no key to recover and no disk to unencrypt. — harrymc, May 20 '18 at 11:02
@harrymc He/She needn't have. Did you read the part in which I said this is the default behavior of Surface products? — , May 20 '18 at 11:03
I don't agree : I just hurriedly turned on my SP3 and BitLocker is off. — harrymc, May 20 '18 at 11:04
@harrymc I did more comprehensive web searches. It appears Device Encryption is indeed enabled by default on Surface Pro 3 when the user opts to use a Microsoft account. (Also the OP uses Surface Pro 2017). The device is encrypted in the background and the key is uploaded to the Microsoft Account. — , May 20 '18 at 11:20
@user477799 I wish I could give you 1000 points! I was ready to throw away my Surface Pro 3 until I saw your answer. My C drive failed and recovery from a downloaded image wanted my recovery key. I never used Bitlocker. The Microsoft docs basically said if I hadn't saved my Bitlocker key, I was screwed. But when I used your link, there was my recovery key. I now have a fully functional Surface Pro 3 again! — John Pankowicz, Jun 07 '23 at 13:02

score 3 · Answer 2 · answered May 20 '18 at 07:51

3

Your recovery key may be stored in your Microsoft Account.

https://support.microsoft.com/en-gb/help/4026181/windows-10-find-my-bitlocker-recovery-key

If you haven't backed up your recovery key, your data will be inaccessible.

answered May 20 '18 at 07:51

David Marshall

7,200
4
28
32

One problem : the guy says he hasn't used BitLocker so there is no key to recover. – harrymc May 20 '18 at 11:02
@harrymc That's why I wrote 'may be'. That said, I pretty sure there are bitlocker keys backed up on my Microsoft Acount that I never requested. – David Marshall May 21 '18 at 16:24
@harrymc Wrong! Please see my comment under user477799's answer. – John Pankowicz Jun 07 '23 at 13:17

score 0 · Answer 3 · answered Mar 14 '19 at 03:40

I learnt this the hard way last night with 2 surface book pro 2. Bitlocker is shipped by default. The user is not aware and is provided no code. When I changed the security settings in BIOS to none I was able to boot up a linux usb. However when I returned to use the device without the USB I was prompted with a request for a bitlocker key to access the windows accounts on the devices. After 4hrs on chat with Microsoft there only advice resemble the advice I got in the mid nineties from them " Reinstall start again, lose all of your data". I like to refer to the new Bitlocker key request screen as the 2020 blue screen of death. It's the same thing just jazzed up.

So why could I not gain access to the key? Because Microsoft did not store them during sign in. This is in fact done during install and as consumers receive the surface preinstalled, you guessed it no key exists at the users end on the recovery URL provided by Microsoft.

So the lesson is if you want to boot a non windows bootable usb on a surface, make sure you plan on deleting Windows and the drive all together.

harrymc · Answer 4 · 2018-05-20T13:36:13.730

-4

In the case where this is only a glitch in the BIOS, where the device was never really encrypted, BitLocker needs to be undone in the BIOS.

This is the procedure to boot into the BIOS, to find there some way of disabling BitLocker or of resetting the BIOS.

To boot into the BIOS on a Microsoft Surface 3 Tablet follow these instructions:

Power off the Surface – a reboot is not sufficient
Press and HOLD the Volume UP button (on the left side of the tablet)
Press and HOLD the Power button for five seconds (on the top of the tablet)
Release the Power button after five seconds but keep holding the volume button until your see the BIOS UEFI.

edited May 20 '18 at 13:36

answered May 20 '18 at 06:26

harrymc

455,459
31
526
924

I don't like useless downvotes - the guy says he hasn't used BitLocker, so this error is incorrect and to be disregarded. And no way that Linux could have turned on BitLocker, unless the Linux installation tried to change his BIOS. – harrymc May 20 '18 at 10:59
It is not an error and the only way of disregarding it is to disregard using that computer altogether. – May 20 '18 at 11:23
@EUserNameError: Or to undo a glitched BIOS change, in case his device is not really encrypted, which is the case covered by this answer. This may or may not be the case of the poster, but the downvotes are abusive. – harrymc May 20 '18 at 13:34
2

All Microsoft Surface products are shipped with BitLocker enabled. The author’s problem isn’t a caused by a glitch. BitLocker can’t be disable in BIOS. So the downvotes you are received are legitimate. – Ramhound May 20 '18 at 13:47
@Ramhound: Disagree - mine isn't. And BitLocker can be disabled in BIOS in some cases. – harrymc May 20 '18 at 14:10
3

BitLocker isn’t a feature of the firmware. Are you by chance talking about the TPM key configuration, which can be changed, within the device’s firmware configuration? – Ramhound May 20 '18 at 14:44

Why my surface pro asks for BitLocker recovery key?

4 Answers4

What you are facing

What to do now?

Things you must not do