Recovering BitLocker when the BCD has been modified

I recently built a new computer and enabled BitLocker on it. When doing so, it asked me to save my recovery key, but I didn’t have a working printer or a flash drive to hand to save my recovery key to (also it doesn’t seem sane to store the recovery key in cleartext on a USB stick), so I cheated and used Print to PDF to save the recovery key to my OS drive… the one I was encrypting.

A little later I was hardening my security settings and changed the DEP policy to from the default (opt-in) to opt-out. I didn’t think anything of it until I rebooted and, after entering my BitLocker password, I was greeted with a error screen that asked for my recovery key, and gave me this message:

Windows Bitlocker Drive Encryption Information

The Boot Configuration Data (BCD) settings for the following boot application have changed since Bitlocker was enabled.

    Boot Application: Windows\system32\winload.exe
    Changed Setting: 0x25000020

You must supply a Bitlocker recovery key to start this system.

Confirm that the changes to the BCD settings are trusted.

If the changes are trusted then suspend and resume Bitlocker.  This will reset Bitlocker to use the new BCD settings.

Otherwise restore the original BCD settings.

According to the BCD Settings and BitLocker page on MSDN, 0x25000020 is the “nx” setting. Suddenly it sunk in that I might have screwed up royally here.

Since I knew the volume password, I tried using manage-bde in the recovery command line to unlock the drive or dump the recovery key, but no luck. I then tried using bcdedit to modify the “nx” value back to the default “OptIn”:

bcdedit /set nx OptIn

But upon reboot that didn’t work either. I was starting to wonder whether each BCD entry had some kind of random cryptographic nonce value that was being altered each time a new value was applied, which was somehow involved in the BitLocker key derivation process and would mean my data was truly gone. (Spoiler: this isn’t the case, it’s just a check inside the BitLocker executable)

I was just about ready to throw in the towel or start with more involved methods, like trying to mount the volume on a Linux live distro to extract the recovery key, when I ran bcdedit again and noticed that the “nx” value hadn’t changed at all. This was because the command above modifies the current BCD boot entry, and the recovery console uses its own entry. Instead, I had to specify which boot entry I wanted to set the variable under:

bcdedit /set {default} nx OptIn

Re-running bcdedit again afterwards showed that the value had now been changed. After rebooting I was able to unlock BitLocker as normal and get back into my system. I then made a point of backing up my recovery key to a secure location that I can reach without needing to unlock my system first.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s