Windows BitLocker key recovery (2020.1)

BitLocker is a Microsoft technology used to encrypt storage volumes on a computer running Windows. BitLocker encrypted volumes are protected by these elements:

  • Local BitLocker authentication: BitLocker supports various authentication methods on the device. This can be combinations of hardware, a PIN, a physical USB startup key, and so on.
  • Recovery key ID: A non-secret GUID generated by Windows uniquely identifying the encryption of a volume.
  • Recovery key: A secret 48-digit password randomly generated by Windows associated with the recovery key ID.

Various issues and scenarios can cause BitLocker to ask for a BitLocker password or recovery key. If a user can't provide the BitLocker password or recovery key, they won't be able to access the encrypted volume. If it's the boot volume that is encrypted, their computer won't be able to boot.

For general information on BitLocker key recovery, see Microsoft's BitLocker recovery guide.

The Endpoint Manager inventory scanner gathers BitLocker volume encryption status, recovery key IDs, and recovery keys. This data is encrypted and securely stored in the Endpoint Manager Client data storage tool. Using information from this tool and the recovery key ID that a user provides, administrators can view the associated BitLocker secret recovery key and give that to a user.

BitLocker recovery information for a device is available after its second inventory scan. The second and subsequent scans rely on device serial number data gathered by the first scan.

You can recover a BitLocker recovery key for a device from the Network view, or you can do it from the Client data storage tool. For more information, see Viewing Client data storage.