Bitkey Recovery (MBAM)
All College managed Windows desktop computers are encrypted with Bitlocker to protect personal data. Bitlocker prevents access to your hard drive, should anyone tamper with your desktop or if someone tries to bypass Windows Authentication with a hacking tool on a USB stick.
If you are presented with a message to enter your Bitlocker key, then you can recover it by entering your College username and password in our Bitkey recovery website which is managed by Microsoft MBAM (Microsoft Bitlocker Administration and Monitoring).
What is MBAM?
MBAM (Microsoft Bitlocker Administration and Monitoring) is a Microsoft feature that allows users to recover their own Bitlocker keys without having to contact Imperial College ICT. It also allows ICT to produce reports on device compliance under GDPR.
What is Bitlocker?
Bitlocker is a Windows 7/10 feature that encrypts the C drive and ensures Windows boots without any USB device bypassing authentication and preventing any unauthorised access like removing the hard drive/SSD and docking it on another device. Recovering data from an unencrypted device is a trivial process that poses personal data at great risk, whereas encryption, at the current state of the art, is virtually unbreakable without the 48-character security key.
How does MBAM work?
MBAM manages Bitlocker: it encrypts the system drive of your machine and, whenever Windows boots (after being turned on or restarted), uses a Trusted Platform Module (TPM) chip to confirm that nothing has been changed that could affect your data security.
Why is my machine asking for a recovery key?
If your machine displays a message asking for a recovery key, it means Bitlocker detected an unexpected change and has put the device in lockout mode.
If the message is asking for a PIN instead, the machine is not locked, but might require additional authentication.
Where do I get the recovery key?
If the message displays a link, it means that the machine has been encrypted with MBAM and you can get your recovery key using our Bitkey recovery website.
The Bitlocker Recovery Website is asking for a Key ID. Where do I get it?
The key ID is displayed on the monitor of the locked device. You must then enter at least 8 character of the Key ID displayed on you encrypted device.
Do I need to provide a reason?
Yes, but if you do not know, please select BIOS/TPM Changed, as it is the most common case.
What happens once I input the key ID and the reason?
The page should display your recovery key. If it does not, you might need to enter additional characters of your Key ID and double check that the code is correct. Now you have to copy the recovery key on the locked device and you will unlock it.
Why did the machine lock itself?
The most common reason is a change in the boot order, usually due to a USB key plugged in during boot or a change to your BIOS. Sometimes it can also be caused by Windows installing Software updates.
How can I avoid this in the future?
If your machine locked without a known reason, please contact our Service Desk and ICT will investigate and explain what happened and how to prevent it.
Can I recover a key for a machine I never used?
Please note that you can only recover keys for machines you have logged on recently.
What if I see the link in the display but do not have access to another web browser?
If you cannot use another device, please contact our Service Desk and they will be able to perform this procedure for you.
The message on the locking screens does not display a link, what can I do?
If the message does not display a link, it means it is using a legacy Bitlocker configuration not linked to MBAM. Please contact our Service Desk and be ready to provide them with the Key ID and your details, and they will find the key for you in our directory.