Windows BitLocker key recovery (2020.1)

BitLocker is a Microsoft technology used to encrypt storage volumes on a computer running Windows. BitLocker encrypted volumes are protected by these elements:

  • Local BitLocker authentication: BitLocker supports various authentication methods on the device. This can be combinations of hardware, a PIN, a physical USB startup key, and so on.
  • Recovery key ID: A non-secret GUID generated by Windows uniquely identifying the encryption of a volume.
  • Recovery key: A secret 48-digit password randomly generated by Windows associated with the recovery key ID.

Various issues and scenarios can cause BitLocker to ask for a BitLocker password or recovery key. If a user can't provide the BitLocker password or recovery key, they won't be able to access the encrypted volume. If it's the boot volume that is encrypted, their computer won't be able to boot.

The Endpoint Manager inventory scanner gathers BitLocker volume encryption status, recovery key IDs, and recovery keys. This data is encrypted and securely stored in the Endpoint Manager Client data storage tool. Using information from this tool and the recovery key ID that a user provides, administrators can view the associated BitLocker secret recovery key and give that to a user.

BitLocker recovery information for a device is available after its second inventory scan. The second and subsequent scans rely on device serial number data gathered by the first scan.

You can recover a BitLocker recovery key for a device from the Network view, or you can do it from the Client data storage tool. For more information, see Viewing Client data storage.

To recover a BitLocker recovery key for a device from the Network view
  1. In the Network view, right-click the device you want, then click Security and Patch > Recover keys > BitLocker.
  2. The end user is probably on the BitLocker screen asking them to Enter the password to unlock this drive. Have them press the Esc key so the BitLocker recovery screen appears. This screen shows their Recovery key ID.
  3. In the Key Protector ID field, enter the Recovery key ID as shown on the end user's BitLocker recovery screen. The data you enter must be in GUID format and the field won't let you enter invalid data.
  4. Click Check, and if the Key Protector ID is valid, the associated 48-digit recovery key is shown in the Key field.
  5. Have the end user enter the recovered Key in their Enter the recovery key for this drive field. If this all was done correctly, the end user can press Enter and unlock the BitLocker volume.