Restoring access to a drive protected by BitLocker
If a user has forgotten the password for accessing a hard drive encrypted by BitLocker, you need to start the recovery procedure (Request-Response).
If the computer's operating system has Federal Information Processing standard (FIPS) compatibility mode enabled, then in Windows 8 and older the recovery key file is saved to the removable drive before encryption. To restore access to the drive, insert the removable drive and follow the on-screen instructions.
Restoring access to a hard drive encrypted by BitLocker consists of the following steps:
- The user tells the administrator the recovery key ID (see the figure below).
- The administrator verifies the ID of the recovery key in the computer properties in Kaspersky Security Center. The ID that the user provided must match the ID that is displayed in the computer properties.
- If the recovery key IDs match, the administrator provides the user with the recovery key or sends a recovery key file.
A recovery key file is used for computers running the following operating systems:
- Windows 7;
- Windows 8;
- Windows Server 2008;
- Windows Server 2011;
- Windows Server 2012.
For all other operating systems, a recovery key is used.
- The user enters the recovery key and gains access to the hard drive.
Restoring access to a hard drive encrypted by BitLocker
Restoring access to a system drive
To start the recovery procedure, the user needs to press the Esc key at the pre-boot authentication stage.
How to view the recovery key for a system drive encrypted by BitLocker in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
- In the workspace, select the Devices tab.
- On the Devices tab, select the computer of the user requesting access to encrypted data and right-click to open the context menu.
- In the context menu, select Grant access in offline mode.
- In the window that opens, select the Access to a BitLocker-protected system drive tab.
- Prompt the user for the recovery key ID indicated in the BitLocker password input window, and compare it with the ID in the Recovery key ID field.
If the IDs do not match, this key is not valid for restoring access to the specified system drive. Make sure that the name of the selected computer matches the name of the user's computer.
As a result, you will have access to the recovery key or file of the recovery key, which will need to be transferred to the user.
How to view the recovery key for a BitLocker-encrypted system drive in the Web Console and Cloud Console
- In the main window of the Web Console, select Devices → Managed devices.
- Select the check box next to the name of the computer whose drive you want to restore access to.
- Click the Grant access to the device in offline mode button.
- In the window that opens, select the BitLocker section.
- Verify the recovery key ID. The ID provided by the user must match the ID that is displayed in the computer settings.
If the IDs do not match, this key is not valid for restoring access to the specified system drive. Make sure that the name of the selected computer matches the name of the user's computer.
- Click the Receive key button.
As a result, you will have access to the recovery key or file of the recovery key, which will need to be transferred to the user.
After the operating system is loaded, Kaspersky Endpoint Security prompts the user to change the password or PIN code. After you set a new password or PIN code, BitLocker will create a new master key and send the key to Kaspersky Security Center. As a result, the recovery key and recovery key file will be updated. If the user has not changed the password, you can use the old recovery key the next time the operating system loads.
Windows 7 computers don't allow changing the password or PIN code. After the recovery key is entered and the operating system is loaded, Kaspersky Endpoint Security won't prompt the user to change the password or PIN code. Thus, it is impossible to set a new password or a PIN code. This issue stems from the peculiarities of the operating system. To continue, you need to re-encrypt the hard drive.
Restoring access to a non-system drive
To start the recovery procedure, the user needs to click the Forgot your password link in the window providing access to the drive. After gaining access to the encrypted drive, the user can enable automatic unlocking of the drive during Windows authentication in the BitLocker settings.
How to view the recovery key for a non-system drive encrypted by BitLocker in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the Administration Console tree, select the Additional → Data encryption and protection → Encrypted drives folder.
- In the workspace, select the encrypted device for which you want to create an access key file, then in the context menu of the device, click Get access to the device in Kaspersky Endpoint Security for Windows.
- Prompt the user for the recovery key ID indicated in the BitLocker password input window, and compare it with the ID in the Recovery key ID field.
If the IDs do not match, this key is not valid for restoring access to the specified drive. Make sure that the name of the selected computer matches the name of the user's computer.
- Send the user the key that is indicated in the Recovery key field.
How to view the recovery key for a BitLocker-encrypted non-system drive in the Web Console and Cloud Console
- In the main window of the Web Console, select Operations → Data encryption and protection → Encrypted Drives.
- Select the check box next to the name of the computer whose drive you want to restore access to.
- Click the Grant access to the device in offline mode button.
This starts the Wizard for granting access to a device.
- Follow the instructions of the Wizard for granting access to a device:
- Select the Kaspersky Endpoint Security for Windows plug-in.
- Verify the recovery key ID. The ID provided by the user must match the ID that is displayed in the computer settings.
If the IDs do not match, this key is not valid for restoring access to the specified system drive. Make sure that the name of the selected computer matches the name of the user's computer.
- Click the Receive key button.
As a result, you will have access to the recovery key or file of the recovery key, which will need to be transferred to the user.