After VeraCrypt 1.23 hotfix 2 installation and boot test, BitLocker asks to enter recovery key

[Cyril HAZOTTE]

Dear VeraCrypt support,

I have exactly the same issue as explained here:
https://answers.microsoft.com/en-us/windows/forum/windows8_1-security-winsec/bitlocker-enabled-itself-after-veracrypt-reboot/f88e8c0b-b9e2-4b4d-af96-7456cc6ba25d

Having Windows 10 Home (and not Pro) version installed, I cannot have BitLocker activated. Also, using the VeraCrypt recovery USB stick didn't help at all.

It happened during the pretest, so the system storage is not yet encrypted, however I don't see any other solution than to reinstall Windows.

I installed VeraCrypt on lots of laptops with Windows 10 Home and never encountered such issue.

Any idea?
Thanks.

[Cyril HAZOTTE]

Hi,

After investigation, it looks like the Asus UX430UA comes with Windows 10 Pro and not Home. :/

How do VeraCrypt and BitLocker combine when both are activated? I am aware that having both solutions makes one useless, but perhaps I am not the only one not being aware of BitLocker enabled and trying to use VeraCrypt..?

I also remember the Secure Boot was left enabled. I disabled it later but the BitLocker recovery keeps appearing after a successful VeraCrypt auth.

As the VeraCrypt pretest made the BitLocker recovery appear after a successful unlock password was entered, is there a way, after the VeraCrypt loader is removed, to restore the original boot, preventing the BitLocker recovery screen, so that I can reach again Windows 10 Pro?

Thanks a lot!
Cyril

[DavidM]

Hi - for what it's worth I too have just spent 4 hours with the same problem. A new Dell XPS 15 with UEFI BIOS enabled and running W10 Ent. I've used Truecrypt & VC for several years and so set up the 'encrypt whole disk' option and on reboot entered the correct passphrase, which was accepted. But instead of booting to W10 I get a blue & white Bitlocker recovery screen. But I have never set up BL on this box, so perhaps VC is confusing W10 into thinking it's running BL? I could do nothing to get it to work - 'escape' at start up didn't work, my VC recovery USB didn't shift it and in the end I had to reformat and reinstall W10.

Happy to do some more tests if anyone has any suggestions but if not then I'd be very wary indeed of using the currect (Dec 2018 HF) version of VC on any UEFI secure boot PC.....

[DavidM]

Oh yes, F8 and the various W10 recovery modes also failed to recover the ability to boot,. although they did give me the BL screen in B&W as opposed to blue & white.. ;{

[sunlighting]

Hello any updates on this also having a similar issue on my Lenovo X1 Tablet 3rd generation. I have tried everything wondering if I will have to reimage by asking Lenovo from the image. Thanks in advance for your responses.

[Ed Kowalski]

Possible Solution
I had the same problem as others here and was able to recover my device without reimaging it.

Device: Microsoft Surface Pro 6 running Win10 Home
Environment: I did not specifically enable BitLocker as has been mentioned on some other threads, but it evidently self-enabled when I used an Azure domain account on the device. Frustrating. The install of Veracrypt (system partition) went smoothly as it had dozens of times before. The BitLocker screen was a nasty surprise; I've never had this issue on other BitLocker enabled laptops and UEFI systems.

Attempted Fixes: The Veracrypt recovery disk (USB) was useless in this case. I was able to get the BitLocker recovery key from Azure, but it made no difference and none of the BitLocker boot options worked (recovery, restore point, etc). I went into the UEFI settings and disabled Secure Boot. It made no difference in the behavior.. Playing with the boot options (order and enable / disable) made no difference either.

Solution (Partial): Eventually, with Secure Boot disabled, I also disabled the TPM in the UEFI. That did it - the system rebooted into Windows as normal. I was able to log in and re-launch Veracrypt (which picked up where it left off and thought everything went fine). I deferred the system encryption, and then immediately had it permanently decrypt the system drive. For what its worth, this process happened without the recovery disk inserted.

I say this is a partial solution because even as I type this, I'm still tinkering with the device and it's not back to 100% yet. Veracrypt is gone / off, but Bitlocker keeps interrupting the boot process and asking for a recovery key. I'll update my post once I get this part figured out, but I wanted to let others know how to at least get back into Windows and at least back up / recover data before taking more drastic [reimage] actions. Good luck.

[Ed Kowalski]

Update to my previous post...

Re-enabling the TPM by itself didn't work, but re-enabling the TPM and Secure Boot seems to have restored the system to its previous working condition. After making the UEFI changes, it required me to enter the BitLocker Recovery Key again and after one last restart it booted into Windows with no issues. a few power cycles and restarts confirmed the BitLocker demon is no longer being poked.

Here's a condensed version of the BitLocker vs Veracrypt cage match solution. I'm not ready to go through this all over again on my machine so I haven't tested this step-by-step. If you find it works or it needs tweaks please post an update here. This is based on my Microsoft Surface Pro 6 tablet running Win10Home 64bit.

1. Remove the Veracrypt recovery disk if necessary.
2. Boot device, enter Veracypt password / PIM / keyfile / etc.
3. At BitLocker screen, click "Skip this Drive", then "Troubleshoot", then "Advanced Options", then the Boot / UEFI / Firmware option.
4. Go to the "Security" tab, disable Secure Boot and the TPM. Acknowledge the various warnings.
5. Go to Exit to save and restart the computer.
6. Upon reboot, enter the Veracrypt password / PIM / keyfile / etc again. System will hopefully boot into Windows.
7. Once logged in to Windows, launch Veracrypt. It will think everything went fine and prompt you to start encrypting the system drive. There is no option to cancel or go back, so the only thing you can do is "Defer". Once deferred, go back into Veracrypt and Decrypt System Drive. It will do its thing and then prompt you to reboot.
8. Upon rebooting the system will still be captured by BitLocker, but the Veracrypt prompt should be gone.
9. Repeat the UEFI procedure from Step 4, this time re-enabling the TPM and Secure Boot. Exit (save) and restart.
   10a. The system will restart, and BitLocker will prompt you again. In my case I entered the BitLocker Recovery Key and it restarted one last time, with Windows performing normally from then on.
   10b. I don't know if this will still work if you don't enter a Recovery Key but instead use "skip this drive" and then click the "Continue to Windows" option. If anyone has luck with this method please comment; it may save some folks who don't have a bitlocker reovery key.

If you are in a situation where you're using Windows 10 Home and / or didn't intentionally activate BitLocker but it activated on its own, or you're in some other situation where you don't already have the BitLocker Recovery Key, you just might be able to get the key through Windows Azure AD depending on how your account is set up. Here's an overview of how to get your key if everything else is in place:

1. Go to the Microsoft Apps Access Panel at https://account.activedirectory.windowsazure.com/r#/applications
2. Look for the Azure Portal app (mine was near the upper right in the field of apps) and click to launch it.
3. Once Azure opens, click on "Azure Active Directory" on the left navigation menu.
4. When the AD page opens, click on "Devices" on the new (inset) navigation menu at left.
5. You should see a list of devices tied to your account. Hopefully the device you're having trouble with is listed. Of note, mine was listed twice with two different users, but only one of them had BitLocker info. Click on the affected device, and the device detail page should open.
6. If you're lucky, the BitLocker Key ID and Recovery Key of the Operating System Drive will be listed near the bottom of the page. The first segment of the Key ID should match the Key ID shown on your affected device's BitLocker screen.
7. Copy the Recovery Key (8 groups of 6 digits each) to a safe place for manual entry on your affected device.