Windows BitLocker key recovery

BitLocker is a Microsoft technology used to encrypt storage volumes on a computer running Windows. BitLocker encrypted volumes are protected by these elements:

  • Local BitLocker authentication: BitLocker supports various authentication methods on the device. This can be combinations of hardware, a PIN, a physical USB startup key, and so on.
  • Recovery key ID: A non-secret GUID generated by Windows uniquely identifying the encryption of a volume.
  • Recovery key: A secret 48-digit password randomly generated by Windows associated with the recovery key ID.

Various issues and scenarios can cause BitLocker to ask for a BitLocker password or recovery key. If a user can't provide the BitLocker password or recovery key, they won't be able to access the encrypted volume. If it's the boot volume that is encrypted, their computer won't be able to boot.

For general information on BitLocker key recovery, see Microsoft's BitLocker recovery guide.

The Endpoint Manager inventory scanner gathers BitLocker volume encryption status, recovery key IDs, and recovery keys. This data is encrypted and securely stored in the Endpoint Manager Client data storage tool. Using information from this tool and the recovery key ID that a user provides, administrators can view the associated BitLocker secret recovery key and give that to a user.

BitLocker recovery information for a device is available after its second inventory scan. The second and subsequent scans rely on device serial number data gathered by the first scan.

You can recover a BitLocker recovery key for a device from the Network view, or you can do it from the Client data storage tool. For more information, see Viewing Client data storage.

  1. In the Network view, right-click the device you want, then click Security and Patch > Recover keys > BitLocker.
  2. In the Key Protector ID field, select the Recovery key ID for the drive you want. This data is populated automatically by the inventory scanner. If the recovery key ID you want isn't in the list, you can enter it manually.
  3. Have the end user enter the recovered Key in their Enter the recovery key for this drive field. If this all was done correctly, the end user can press Enter and unlock the BitLocker volume.