Danger for Dell?

Topic

New Reply

I am now battling my second Inspiron that boots to Bitlocker recovery and comes to a screaming halt because the owner’s Microsoft account does not have a key. The first accepted the option to factory reset. It is now happily working with the latest version of 10.

I’m uncertain about the Windows history of the current model but it was built in May 2021 so I suspect Windows 10, failed after upgrade. This one will not accept factory reset, nor any of the options offered by Windows on and iso. It sits with [Install windows] waiting for the owner to decide ‘yes’ or contact Dell.

If you have a Dell Inspiron and are contemplating an update. Make sure you have a full system image and that it is a verified image. Please!

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

Replies

Don’t tell @b!

Reply | Quote

b wrote:

Do some forget having done this? I’m sure it must happen.

(Or the key could be in the Microsoft account of an administrator who set it up.)

Reply | Quote

Exactly what I am afraid will occur to more and more as time goes on. ‘Nuff said.

I would try to clean/wipe the drive, check it for errors, then try the fresh install from thumb drive. My guess is the recovery partition was also encrypted. BTW Dell Support Assist Recovery stores the backups on the C drive

Reply | Quote

Or maybe this scenario occurred #2473976.

Reply | Quote

The known issue with KB5012170 seems more likely:

Some devices might start up into BitLocker Recovery

Reply | Quote

OK Dell users, this seems to be the workaround or should I say, so far, so good. The messages says 1-5 hours so I am doing this as I wait.

My experience to date has included using inbuilt OS recovery tools or bare metal when that fails. Both are just a case of following the bounding ball (and having the right image for bare metal). Today I tried Rufus. The Iso wrote to USB OK and loaded the install media but “where are the drivers”. Grumping a bit I went to Dell. There I noticed a link to a 64 bit USB recovery tool. Presumably, that should cover everyone but if it doesn’t search dell for drivers for the model you need then look for the link to the recovery tool.

All I needed was to download it to my (working) PC and run it. When run it requests the relevant Dell Service tag (obtainable from BIOS if you don’t have it written elsewhere). Then it writes everything necessary to your (large) USB drive. Switch on the offending computer and enter BIOS (F2 when the Dell logo appears or through a boot menu using escape then another disk). Choose to boot from the recovery USB and the recovery program runs. From there you’ll need to thing through the options and choose the one you want. It will give you a lot of warnings if you choose to delete existing data as I did.

If just asked me to restart so it seems the laptop is back in business. Just Windows to configure and update.

 

EDIT: Now ready for user to log on.

Alternative method using Microsoft Media Creation tool – Untested by me

 

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

1 user thanked author for this post.

windbg

Reply | Quote

I’d back up what’s needed and rummage in the F12 boot menu.

Dell usually have some sort of factory default – later ones as given can even download software straight from the factory via LAN.

Once its running just load the latest ISO should sort it. The hard bit should be the backing up. I’m not quire clear as to if you have a fix or need to get in, but given the mess can only suggest if all else is lost, three unexpected reboots during start-up might yield the return of the full recovery menu booted from the hard disk, which if it has enough content left to yield the bitlocker tokens, should plausibly unlock the hard disk Windows installation’s recovery system with a Windows username / password first (as the BIOS will recognise the hard disk recovery as a secure environment – hopefully SMM is on as default?). If that doesn’t work maybe run past the BIOS drive diagnostics just in case.

Reply | Quote

Also an old guy.

Yup! ran through that stuff with the owner before getting hands on. The bitlocker issue locked it too tight for Dell’s BIOS repair/recover/reset/rollback utilities. Unable to get around Bitlocker, factory reset (or clean reinstall) became the options. The Bitlocker issue  seemed to kill installed recovery utility. It looked like it was loading. Eight hours overnight it still looked like it was loading. The only way I could find around the problem was rescue USB.

Laptops are now back to health (and BIOS was updated straight away).  One is collected the other awaits. The “you are a magician” was a nice compliment but way off. There’s no way trying to find an elegant way around a bitlocker fail felt like magic. In these case, one owner had all data stored in the cloud and the other hadn’t yet set up an account after the previous owner handed it back in presumably in that condition.  So I didn’t try the option on the utility to recover data. My educated guess based on what I could find and see is it would fail.

Theoretically, Home editions are only partially encrypted. Most users are unaware it happens, let alone to check for a key in their Microsoft account before a fail (where my experience is they don’t find one in any case). Bitlocker is a Pro version ‘boast’.

The lesson for other is not if it ain’t broke don’t fix it. The lesson seems to be if you want minimum downtime and inconvenience due to catastrophe, backup your entire system then update Dell {or whoever} drivers and BIOS then update Windows. Every month at least.

One last point: if anyone uses the Dell USB recovery method, setting options are limited. You should check time, region, language, keyboard etc once you get it going.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

2 users thanked author for this post.

PKCano, oldguy

Reply | Quote

Hi SteveTree:

See ecarpenter’s Inspiron 7391 BIOS Update Enabled Bitlocker in the Dell forum. As b noted in post # 2474230, installation of KB5012170 (Security Update for Secure Boot DBX: August 9, 2022) likely triggered the prompt for the BitLocker recovery key. See the 16-Aug-2022 BleepingComputer article Windows KB5012170 Update Causing BitLocker Recovery Screens, Boot Issues, as well as the Known Issues section of the KB5012170 release notes <here>, which states in part:

“IMPORTANT: If you have restarted your device two times or more after installing this update, your device is not affected by this issue.“

which suggests that re-booting a few times after installing this patch should clear the prompt for the BitLocker recovery key on affected systems.

When I originally set up my Dell Inspiron 5584 I chose to enable BitLocker Drive Encryption and set up a local user account for logging in during the OOBE setup. My laptop was extremely glitchy and unstable and a few months after purchase it refused to boot (no Dell logo, no response from Ctrl+Alt+Del, no response when I pressed my F12 key, etc.). I spent two hours on the phone with Dell customer support and was unable to enter the recovery environment of Dell SupportAssist OS Recovery, but I was eventually able perform a reset to factory condition. Before the factory reset could proceed I was prompted for my BitLocker recovery key (luckily, I had printed out a hard copy of the recovery and stored the printout in a safe location, in addition to backing up the recovery key on a removable USB thumb drive) and was able to proceed with the reset to factory condition. During my new OOBE setup I left BitLocker Drive Encryption disabled and chose to start logging in with my Microsoft Account.

I also disabled Dell SupportAssist OS Recovery and now use Macrium Reflect Free imaging software to save the occasional full disk image on an external backup drive in case I ever have to perform another emergency recovery, and my system has been much more stable since the reset to factory condition. For added protection, I always enable Windows System Restore (disabled by default in Win 10/11) as instructed in the Windows Central article How to Use System Restore on Windows 10.
————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v104.0.1 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.14.210-1.0.1751 * Macrium Reflect Free v8.0.6867 * Dell Update for Windows Universal v4.6.0

2 users thanked author for this post.

windbg, PKCano

Reply | Quote

Rebooting myriad times did not fix it on either machine. A third laptop that almost certainly developed a variation (would not boot to Windows at all) occurred during installation of the above-mentioned update. Similarly it did not correct itself with myriad restarts. The power button while booting 3 times then rebuild fixed that, as well. So far, all Dell and all three had a BIOS update waiting when reset and updates commenced. BIOS done all three loaded all updates OK.

Speculating:  KB5012170 may be the trigger and broader testing before may have detected the issue before release of the update. The issue is possibly the installation of the update before update of Dell BIOS.

The inbuilt Dell software was a waste for this issue. Looking at hard drive volumes, WINRETOOLS, Image, and DELLSUPPORT volumes are non-encrypted but there is not 23Gb space on any of them which indicates backups are in Drive c:\, which is encrypted unless users take steps to switch off Bitlocker. So, recovery of system of data without a Bitlocker key is impossible. Dell Recovery on the affected machine is useless in a Bitlocker situation. Macrium backing up on USB SHOULD work around the issue. My users are now using Macrium to back up on schedule to small footprint, large capacity USB drive.
<p style=”text-align: right;”></p>

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

1 user thanked author for this post.

windbg

Reply | Quote

Users who set up with a local account do not get a Bitlocker recovery key in their Microsoft account. Microsoft instructions say, to get your Bitlocker recovery key log your laptop into your Microsoft account.

If Microsoft publish an alternative to the above it is difficult to find. Last night I found an article about recovering your key from a command window. Method 2 extracted a ‘numerical password’ and a different ‘password’ (ironically, also numerical).

My account being a local account, I am unable to compare the result with to a record in my Microsoft account. Perhaps someone who has an account-linked computer may like to cross-check the methods return an identical result as recorded in their account and publish a ‘do this now; save the result to cloud’ Tip?

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

1 user thanked author for this post.

wavy

Reply | Quote

SteveTree wrote:

Users who set up with a local account do not get a Bitlocker recovery key in their Microsoft account. Microsoft instructions say, to get your Bitlocker recovery key log your laptop into your Microsoft account.

If Microsoft publish an alternative to the above it is difficult to find.

This Microsoft Support page is a reasonable summary:

BitLocker likely ensured that a recovery key was safely backed up prior to activating protection. There are several places that your recovery key may be, depending on the choice that was made when activating BitLocker:

In your Microsoft account: Sign in to your Microsoft account on another device to find your recovery key. This is the most likely place to find your recovery key.
…
Note: If the device was set up, or if BitLocker was turned on, by somebody else, the recovery key may be in that person’s Microsoft account.

On a printout: You may have printed your recovery key when BitLocker was activated. Look where you keep important papers related to your computer.

On a USB flash drive: Plug the USB flash drive into your locked PC and follow the instructions. If you saved the key as a text file on the flash drive, use a different computer to read the text file.

In an Azure Active Directory account: If your device was ever signed into an organization using a work or school email account, your recovery key may be stored in that organization’s Azure AD account. You may be able to access it directly or you may need to contact a system administrator to access your recovery key.

Held by your system administrator: If your device is connected to a domain (usually a work or school device), ask a system administrator for your recovery key.

Finding your BitLocker recovery key in Windows

 

SteveTree wrote:

Last night I found an article about recovering your key from a command window. Method 2 extracted a ‘numerical password’ and a different ‘password’ (ironically, also numerical).

They’re both under the heading of Numerical Password, but the first is an ID to help identify the correct key, and the second labelled Password is the actual key. (The first eight characters of the Key ID is displayed in a Microsoft Account record beside the Recovery Key for each Device Name, and can also be used to search for the required key in Active Directory.)

 

SteveTree wrote:

My account being a local account, I am unable to compare the result with to a record in my Microsoft account. Perhaps someone who has an account-linked computer may like to cross-check the methods return an identical result as recorded in their account and publish a ‘do this now; save the result to cloud’ Tip?

I did just use “Method 2” (manage-bde -protectors C: -get) and can confirm that the ID and Key match what was recorded in my Microsoft account when Device Encryption was activated.

(But I don’t get the need for a tip about saving to the cloud as it’s already there.)

1 user thanked author for this post.

windbg

Reply | Quote

Powershell script to fetch Bitlocker recovery key.

Copy to text document and save as .ps1

Right click and choose ‘Run with PowerShell’

The first snippet of code self-elevates the script and will request UAC permission.
The second snippet extracts the key/s

# Self-elevate the script if required
#(https://blog.expta.com/2017/03/how-to-self-elevate-powershell-script.html)
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] ‘Administrator’)) {
if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
$CommandLine = “-File "" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments
Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine
Exit
}
}
# Export the BitLocker recovery keys for all drives and display them at the Command Prompt.
# (https://www.top-password.com/blog/tag/get-bitlocker-recovery-key-from-cmd/)
$BitlockerVolumers = Get-BitLockerVolume
$BitlockerVolumers |
ForEach-Object {
$MountPoint = $_.MountPoint
$RecoveryKey = [string]($_.KeyProtector).RecoveryPassword
if ($RecoveryKey.Length -gt 5) {
Write-Output ("The drive $MountPoint has a BitLocker recovery key $RecoveryKey.")
}
}

#pause execution so user can read result before closing
pause

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

Thanks for testing.

(But I don’t get the need for a tip about saving to the cloud as it’s already there.)

The Bitlocker key  is not there if you use a local account when configuring your laptop (at the time it is configured, Windows has no email address to use for the purpose).

Microsoft does not make configuring a local account intuitive. Those who simply follow the bouncing ball configuring Windows should have a Bitlocker key recorded in their account.

If people created a local account during configuration they can change their minds mind via Settings, Privacy & Security, Device Encryption.

I choose to remain on local account but recognise there are features people will perceive to be advantageous to them (lack of Bitlocker key in your Microsoft account is an obvious disadvantage).

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

SteveTree wrote:

If people created a local account during configuration they can change their minds mind via Settings, Privacy & Security, Device Encryption.

When you enabled Device Encryption, were you not prompted to save or print several copies of your key and to keep them somewhere other than on your computer?

1 user thanked author for this post.

SteveTree

Reply | Quote

When you enabled Device Encryption, were you not prompted to save or print several copies of your key and to keep them somewhere other than on your computer?

In a word, no. The longer version is neither myself nor the users took steps to enable device encryption, then or now and that Windows did nothing that would alert a user that Bitlocker is being switched on, including any recommended action to either record the key nor where it might be found.

Three scenarios:

1. The most recent (and newest) device, was previously upgraded from Windows 10 to Windows 11. Presumably that switched Bitlocker on. During basic troubleshooting via phone, I discovered the original user account is not accessible (hence, unable to say whether a key is recorded). It remains on Windows 10 since rebuild. Bitlocker is currently off. My advice to the user was to wait until the September-anticipated version of Windows 11 is in the community long enough for serious problems to be exposed and fixed before upgrade.  It has a local account.
2. The second oldest model was not previously upgraded to Windows 11 but had been upgraded to a later version of Windows 10. Presumably a Windows 10 upgrade switched Bitlocker on enabling the issue before the crash. After rebuild it was upgraded to Windows 11. Bitlocker is on again (no warning; no prompt). It has a local account and Bitlocker key saved in a safe place using the cmd method.
3. The other older laptop was previously upgraded to Windows 11. Based on the above, it probably switched Bitlocker on with an earlier Windows 10 upgrade. Now it is upgraded from a no longer supported version of Windows 10 to Windows 10 21H2. Bitlocker is on. There was no prompt or warning about the Bitlocker key. The user did that one with phone support.  Strangely, the device’s Dell factory reset worked on that one but not the newest device.  When it crashed, the user was unable to located a Bitlocker key in his Microsoft account.

Based on those examples, It seems my reading that an upgrade switches Bitlocker on without user permission or advice to store they Bitlocker key is accurate.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

5 users thanked author for this post.

WCHS, PKCano, glnz, lmacri, b

Reply | Quote