|
|
|
|
@ -2,14 +2,14 @@
|
|
|
|
|
title: BitLocker preboot recovery screen
|
|
|
|
|
description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
|
|
|
|
|
ms.topic: concept-article
|
|
|
|
|
ms.date: 10/30/2023
|
|
|
|
|
ms.date: 06/19/2024
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# BitLocker preboot recovery screen
|
|
|
|
|
|
|
|
|
|
During BitLocker recovery, the *preboot recovery screen* can display a custom recovery message, a custom recovery URL, and a few hints to help users finding where a key can be retrieved from.
|
|
|
|
|
During BitLocker recovery, the *preboot recovery screen* is a critical touchpoint for users, offering a custom recovery message tailored to the organization's needs, a direct recovery URL for additional support, and strategic hints to assist users in locating their recovery key.
|
|
|
|
|
|
|
|
|
|
This article describes the information displayed in the preboot recovery screen depending on configured policy settings and recovery keys status.
|
|
|
|
|
This article delves into the various elements displayed on the preboot recovery screen, detailing how policy settings and the status of recovery keys influence the information presented. Whether it's a personalized message or practical guidance, the preboot recovery screen is designed to streamline the recovery process for users
|
|
|
|
|
|
|
|
|
|
## Default preboot recovery screen
|
|
|
|
|
|
|
|
|
|
@ -187,3 +187,118 @@ There are rules governing which hint is shown during the recovery (in the order
|
|
|
|
|
:::image type="content" source="images/preboot-recovery-multiple-passwords-multiple-backups.png" alt-text="Screenshot of the BitLocker recovery screen showing the key ID of the most recent key." lightbox="images/preboot-recovery-multiple-passwords-multiple-backups.png" border="false":::
|
|
|
|
|
:::column-end:::
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
|
|
## Additional recovery information screen
|
|
|
|
|
|
|
|
|
|
Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen enhances the recovery error information. The recovery screen provides more detailed information about the nature of the recovery error, empowering users to better understand and address the issue.
|
|
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
Users have the option to review additional information about the recovery error by pressing the <Kbd>Alt</kbd> key.
|
|
|
|
|
:::column-end:::
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
:::image type="content" source="images/preboot-recovery-additional.png" alt-text="Screenshot of the BitLocker recovery screen highlighting the Alt keyboard button to access the recovery information screen." lightbox="images/preboot-recovery-additional.png" border="false":::
|
|
|
|
|
:::column-end:::
|
|
|
|
|
:::row-end:::
|
|
|
|
|
:::row:::
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
The **Additional recovery information** screen contains an *error category* and a *code*, which you can use to retrieve more details from the next section of this article.
|
|
|
|
|
:::column-end:::
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
:::image type="content" source="images/preboot-recovery-additional-recovery-information.png" alt-text="Screenshot of the BitLocker recovery information screen." lightbox="images/preboot-recovery-additional-recovery-information.png" border="false":::
|
|
|
|
|
:::column-end:::
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
|
|
The next sections describe the codes for each BitLocker error category. Within each section there's a table with the error message displayed on the recovery screen, and the cause of the error. Some tables include possible resolution.
|
|
|
|
|
|
|
|
|
|
The error categories are:
|
|
|
|
|
|
|
|
|
|
- [Initiated by user](#initiated-by-user)
|
|
|
|
|
- [Code integrity](#code-integrity)
|
|
|
|
|
- [Device lockout](#device-lockout)
|
|
|
|
|
- [Boot configuration](#boot-configuration)
|
|
|
|
|
- [TPM](#tpm)
|
|
|
|
|
- [Protector](#protector)
|
|
|
|
|
- [Unknown](#unknown)
|
|
|
|
|
|
|
|
|
|
### Initiated by user
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause | Resolution|
|
|
|
|
|
|-|-|-|
|
|
|
|
|
|`E_FVE_USER_REQUESTED_RECOVERY`|The user explicitly entered recovery mode from a screen with the option to `ESC` to recovery mode.||
|
|
|
|
|
|`E_FVE_BOOT_DEBUG_ENABLED`|Boot debugging mode is enabled. |Remove the boot debugging option from the boot configuration database.|
|
|
|
|
|
|
|
|
|
|
### Code integrity
|
|
|
|
|
|
|
|
|
|
Driver signature enforcement is used to ensure code integrity of the operating system.
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause |
|
|
|
|
|
|-|-|
|
|
|
|
|
|`E_FVE_CI_DISABLED`|Driver signature enforcement is disabled.|
|
|
|
|
|
|
|
|
|
|
### Device lockout
|
|
|
|
|
|
|
|
|
|
Device lockout threshold functionality allows an administrator to configure Windows sign in with BitLocker protection. After the configured number of failed Windows sign in attempts, the device reboots and can only be recovered by providing a BitLocker recovery method.
|
|
|
|
|
|
|
|
|
|
To take advantage of this functionality, you must configure the policy setting **Interactive logon: Machine account lockout threshold** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**. Alternatively, use the [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) **MaxFailedPasswordAttempts** policy setting, or the [DeviceLock Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy).
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause | Resolution|
|
|
|
|
|
|-|-|-|
|
|
|
|
|
|`E_FVE_DEVICE_LOCKEDOUT`|Device lockout triggered due to too many incorrect sign in attempts.|A BitLocker recovery method is required to return to the sign in screen.|
|
|
|
|
|
|`E_FVE_DEVICE_LOCKOUT_MISMATCH`|The device lockout counter is out of sync. |A BitLocker recovery method is required to return to the sign in screen.|
|
|
|
|
|
|
|
|
|
|
### Boot configuration
|
|
|
|
|
|
|
|
|
|
The *Boot Configuration Database (BCD)* contains critical information for the Windows boot environment.
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause | Resolution|
|
|
|
|
|
|-|-|-|
|
|
|
|
|
|`E_FVE_BAD_CODE_ID`<br><br>`E_FVE_BAD_CODE_OPTION`|BitLocker entered recovery mode because a boot application changed.<br>BitLocker tracks the data inside the BCD and BitLocker recovery can occur when this data changes without warning. <br><br>Refer to the recovery screen to find the boot application that changed.|To remediate this issue, restore the BCD configuration. A BitLocker recovery method is required to unlock the device if the BCD configuration can't be restored before booting.|
|
|
|
|
|
|
|
|
|
|
For more information, see [Boot Configuration Data settings and BitLocker](bcd-settings-and-bitlocker.md).
|
|
|
|
|
|
|
|
|
|
### TPM
|
|
|
|
|
|
|
|
|
|
The Trusted Platform Module (TPM) is cryptographic hardware or firmware used to secure a device. BitLocker creates a *TPM protector* to manage protection of the encryption keys used to encrypt your data.
|
|
|
|
|
|
|
|
|
|
At boot, BitLocker attempts to communicate with the TPM to unlock the device and access your data.
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause |
|
|
|
|
|
|-|-|
|
|
|
|
|
|`E_FVE_TPM_DISABLED` | A TPM is present but is disabled for use before or during boot.|
|
|
|
|
|
|`E_FVE_TPM_INVALIDATED` | A TPM is present but invalidated.|
|
|
|
|
|
|`E_FVE_BAD_SRK` | The TPM's internal Storage Root Key is corrupted.|
|
|
|
|
|
|`E_FVE_TPM_NOT_DETECTED` | The booting system doesn't have or doesn't detect a TPM.|
|
|
|
|
|
|`E_MATCHING_PCRS_TPM_FAILURE`| The TPM unexpectedly failed when unsealing the encryption key.|
|
|
|
|
|
|`E_FVE_TPM_FAILURE` | Catch-all for other TPM errors.|
|
|
|
|
|
|
|
|
|
|
For more information, see [Trusted Platform Module Technology Overview](../../../hardware-security/tpm/trusted-platform-module-overview.md) and [BitLocker and TPM](index.md#bitlocker-and-tpm).
|
|
|
|
|
|
|
|
|
|
### Protector
|
|
|
|
|
|
|
|
|
|
#### TPM protectors
|
|
|
|
|
|
|
|
|
|
The TPM contains multiple Platform Configuration Registers (PCRs) that can be used in the validation profile of the BitLocker TPM protector. The PCRs are used to validate the integrity of the boot process, that is, that the boot configuration and boot flow hasn't been tampered with.
|
|
|
|
|
|
|
|
|
|
BitLocker recovery can be the result of unexpected changes in the PCRs used in the TPM protector validation profile. Changes to PCRs not used in the TPM protector profile don't influence BitLocker.
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause |Resolution|
|
|
|
|
|
|-|-|
|
|
|
|
|
|`E_FVE_PCR_MISMATCH`|The device's configuration changed. <br><br>Possible causes include:<br>- A bootable media is inserted. Removing it and restarting your device might fix this problem<br>- A firmware update was applied without updating the TPM protector| A recovery method is required to unlock the device.|
|
|
|
|
|
|
|
|
|
|
For more examples, see [BitLocker recovery scenarios](recovery-overview.md#bitlocker-recovery-scenarios).
|
|
|
|
|
|
|
|
|
|
#### Special cases for PCR 7
|
|
|
|
|
|
|
|
|
|
If the TPM protector uses PCR 7 in the validation profile, BitLocker expects PCR 7 to measure a specific set of events for Secure Boot. These measurements are defined in the UEFI spec. For more information, see [Static Root of Trust Measurements](/previous-versions/windows/hardware/hck/jj923068(v=vs.85)#appendix-a-static-root-of-trust-measurements)
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause |Resolution|
|
|
|
|
|
|-|-|-|
|
|
|
|
|
|`E_FVE_SECUREBOOT_DISABLED`|Secure Boot has been disabled. To access the encryption key and unlock your device, BitLocker expects Secure Boot to be on. | Re-enabling Secure Boot and rebooting the system might fix the recovery issue. Otherwise, a recovery method is required to access the device.|
|
|
|
|
|
|`E_FVE_SECUREBOOT_CHANGED`|The Secure Boot configuration unexpectedly changed. The boot configuration measured in PCR 7 changed. <br>This may be either because of:<br>- An additional measurement currently present that wasn't present when BitLocker updated the TPM protector<br>- A missing measurement that was present when BitLocker last updated the TPM protector but now isn't present<br>- An expected event has a different measurement | A recovery method is required to unlock the device.|
|
|
|
|
|
|
|
|
|
|
### Unknown
|
|
|
|
|
|
|
|
|
|
| Error code | Error cause | Resolution|
|
|
|
|
|
|-|-|-|
|
|
|
|
|
|`E_FVE_RECOVERY_ERROR_UNKNOWN`| BitLocker entered recovery mode because of an unknown error. | A recovery method is required to unlock the device.|
|
|
|
|
|
|
Stacyrch140
GitHub
