How to Find and Recover Your BitLocker Recovery Key?

When BitLocker-protected devices undergo significant changes such as hardware modifications or firmware updates, they may prompt you for a BitLocker recovery key. This is a security measure to prevent unauthorized access.

The most frequent reason for this prompt is the detection of a potential security risk, like an unauthorized attempt to access the system, which in turn activates BitLocker’s protective mechanism. Other causes include changes to the BIOS, TPM firmware updates, or modifications to the boot sequence that are perceived as security threats.

Additionally, it’s noteworthy that some users have faced issues where the recovery key doesn’t seem to work, even when the recovery key ID matches, leading to confusion as to why access is not granted. For those who have linked their Microsoft account to their device, the BitLocker recovery key is typically automatically uploaded to Microsoft’s servers, offering a recovery solution when the physical key is lost or unresponsive.

How BitLocker Works

With BitLocker enabled, the Trusted Platform Module (TPM) chip encrypts and decrypts data on your computer by determining whether the drive should be locked or unlocked through a series of checks to prevent unauthorized access.

The TPM chip monitors changes to the hardware, BIOS, Windows kernel files, boot components, and looks for firmware updates as potential unauthorized access attempts.

Such modifications can trigger the BitLocker Recovery screen, where entering the recovery key is needed.

You can find your BitLocker key through various methods. This guide will walk you through all available options for your particular situation.

1. Use the Command Prompt

If you are not presented with the BitLocker Recovery screen, you can use the Command Prompt to retrieve and secure your BitLocker key.

This can be done with the ‘manage-bde’ command, which manages BitLocker on your computer.

1. Open the Start Menu and search for Command Prompt.
2. Select the Run as administrator option.

   

3. Click Yes on the User Account Control dialog.
4. Enter the command below, replacing C: with the drive you are working with, and hit Enter.

   manage-bde -protectors C: -get

   

5. To find the recovery key for a remote computer, use this command instead, substituting the placeholders with actual values:

   manage-bde -forcerecovery -ComputerName <RemoteComputerName> C:

6. Make sure to replace <RemoteComputerName> and the drive letter appropriately.

2. Recover the BitLocker Key via Microsoft Account

When enabling BitLocker on personal devices, it’s recommended to save the recovery key to your Microsoft Account. If this applies to you, use the Microsoft Account portal to find your key.

1. Visit the Microsoft Account website by clicking here.
2. Sign in with your Microsoft account credentials.
3. Under the Devices section, select the View Details option.

   

4. Find and click on the Manage recovery keys link under BitLocker data protection in the device details menu.

   

5. Your BitLocker recovery key will be displayed.

   

6. Match the Key ID from this list with the one shown on the BitLocker Recovery screen.

3. Recover the BitLocker Key from a USB Flash Drive

When activating BitLocker, you may also opt to save the recovery key on a USB flash drive. It will be saved in a text file named “BitLocker Recovery Key” followed by a unique Key ID.

Insert the USB into another computer and open the text file to find the BitLocker Recovery key along with the Identifier. Match this Identifier with the one shown on the BitLocker Recovery screen.

4. Recover the BitLocker Key from the Azure Portal

For a device that’s part of an Azure Active Directory network, a system administrator can locate the recovery key within the Azure AD portal.

1. Access the Azure portal via this link.
2. Proceed to Azure Active Directory.
3. Select the All devices tab and click on the relevant device.

   

4. At the bottom of the Properties page, the recovery key can be found.
5. Click the Show Recovery Key button to view it.

   

6. If you aren’t sure of the device name in the Azure Portal, utilize the Key ID.
7. Click on the BitLocker Keys section.
8. Enter the Key ID in the search field to find the respective recovery key.

   

5. Using Active Directory

You can retrieve the BitLocker recovery key via Active Directory provided that you configure a Group Policy to save the recovery key there.

1. Press the Win key + R to open the Run dialog.
2. Type gpedit.msc, then hit Enter.

   

3. In the Group Policy Editor, go to Administrative Templates > Windows Components > BitLocker Drive Encryption.
4. Double-click on the Store BitLocker Recovery Information in Active Directory policy.

   

5. Set it to Enabled and click Apply.

   

6. Open the Active Directory Users and Computers application.
7. Navigate to the respective computer, and open its properties.
8. In the properties, locate the BitLocker Recovery tab to find the recovery key.

   

If you cannot see the BitLocker Recovery tab, it could be because you haven’t installed the BitLocker Drive Encryption Administration Utility feature.

1. Open the Server Manager.
2. Head to Manage > Add Roles and Features.
3. In the Features section, expand the Remote Server Administration Tools category.
4. Expand the list for Feature Administration Tools.
5. Check the box for BitLocker Drive Encryption Administration Utilities, then click Install.

   

These various methods should enable you to retrieve the BitLocker Recovery key for different situations.