5

I have a latest Microsoft surface pro and would like to install a Linux system on it. There were some installation problem with the Linux and I gave up. But when I tried to perform normal booting, the BitLocker Recovery popped up every time and required me to input the Recovery key. However, I have never made any configurations on BitLocker and set any password. I just left it by default since using the surface pro.

My question is where I can retrieve the default recovery key and if not, how can I get back my data from the encrypted drive. Thank you so much.

hohoho236
  • 79

4 Answers4

11

What you are facing

Microsoft Surface line of devices comes encrypted either with BitLocker or Device Encryption (which is basically a non-customizable BitLocker). This encryption does not rely on a user password at all. (It could, but it doesn't.) Instead, it relies on a recovery key stored within a tamper-proof Trusted Platform Module (TPM) chip integrated into the device.

I also assume the Secure Boot is enabled on your Surface Pro. One of the thing that TPM and Secure Boot do is preventing unauthorized boot configuration modification. This is one of the things that can effectively stop bootkits (boot rootkits) and ransomware. When they determine that the boot path may have been compromised, TPM refuses to supply the BitLocker recovery key to the bootloader. (Nobody wants a bootkit to receive his/her recovery key.) Linux aficionados are already aware of both, because living in the Linux world takes a technically dedicated geek. So, when they install Linux, which definitely requires boot configuration changes, they disable BitLocker (and sometimes Secure Boot) in advance.

Make no mistake: People love all this; their data is much safer. The only exception is the journalist community who both love it and love throwing mud at it, because that's their job.

What to do now?

Fortunately, Microsoft has a safety measure in place in case your TPM fails: The recovery key that I mentioned earlier is generated during the out-of-box experience (OOBE) sequence when your Surface Pro is first turned on, and only if you choose to log in with a Microsoft account. Device Encryption does not get enforced without it. This recovery key is then uploaded to your Microsoft account and won't be deleted without your explicit command. You can find it using this URL:

https://account.microsoft.com/devices/recoverykey

That's as far as the default configuration of Microsoft goes. But if you enabled BitLocker yourself ... oh, well, never mind; you said you didn't.

With this key, you can boot Windows from the encrypted disk. From within Windows, you can disable BitLocker/Device Encryption and go about your business of installing Linux. But be advised: Linux means living on the cutting edge. If you don't have sufficient technical knowledge, some other technical difficulty may threaten your digital life. So, I suggest having backup in place.

Things you must not do

Do not try disabling or resetting TPM via UEFI. It won't grant you access. (Think of it this way: If your laptop was ever stolen, you wouldn't want the thieves to get any sort of access by a simple BIOS tweak, now do you?) If you do this, even if you can undo the configuration mismatch that has somehow come into effect, your TPM-based unique key will be lost forever.

3

Your recovery key may be stored in your Microsoft Account.

https://support.microsoft.com/en-gb/help/4026181/windows-10-find-my-bitlocker-recovery-key

If you haven't backed up your recovery key, your data will be inaccessible.

David Marshall
  • 7,346
0

I learnt this the hard way last night with 2 surface book pro 2. Bitlocker is shipped by default. The user is not aware and is provided no code. When I changed the security settings in BIOS to none I was able to boot up a linux usb. However when I returned to use the device without the USB I was prompted with a request for a bitlocker key to access the windows accounts on the devices. After 4hrs on chat with Microsoft there only advice resemble the advice I got in the mid nineties from them " Reinstall start again, lose all of your data". I like to refer to the new Bitlocker key request screen as the 2020 blue screen of death. It's the same thing just jazzed up.

So why could I not gain access to the key? Because Microsoft did not store them during sign in. This is in fact done during install and as consumers receive the surface preinstalled, you guessed it no key exists at the users end on the recovery URL provided by Microsoft.

So the lesson is if you want to boot a non windows bootable usb on a surface, make sure you plan on deleting Windows and the drive all together.

Zeoanarchy
  • 1
-4

In the case where this is only a glitch in the BIOS, where the device was never really encrypted, BitLocker needs to be undone in the BIOS.

This is the procedure to boot into the BIOS, to find there some way of disabling BitLocker or of resetting the BIOS.

To boot into the BIOS on a Microsoft Surface 3 Tablet follow these instructions:

  1. Power off the Surface – a reboot is not sufficient
  2. Press and HOLD the Volume UP button (on the left side of the tablet)
  3. Press and HOLD the Power button for five seconds (on the top of the tablet)
  4. Release the Power button after five seconds but keep holding the volume button until your see the BIOS UEFI.
harrymc
  • 498,455