Bitlocker Recovery Key From Recovery Key Id

[Claribel Szwaja]

Aspart of the BitLocker recovery process, it's recommended to determine what caused a device to enter in recovery mode. Root cause analysis might help to prevent the problem from occurring again in the future. For instance, if you determine that an attacker modified a device by obtaining physical access, you can implement new security policies for tracking who has physical presence.

For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Suspending BitLocker leaves the drive fully encrypted, and the administrator can quickly resume BitLocker protection after the planned task is completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.

If suspended, BitLocker automatically resumes protection when the device is rebooted, unless a reboot count is specified using PowerShell or the manage-bde.exe command line tool. For more information about suspending BitLocker, review the BitLocker operations guide.

Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.

When Startup Repair is launched automatically due to boot failures, it only executes operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. On devices that support specific TPM measurements for PCR[7], the TPM validates that Windows RE is a trusted operating environment and unlocks any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM is disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically, and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.

Windows RE will also ask for your BitLocker recovery key when you start a Remove everything reset from Windows RE on a device that uses the TPM + PIN or Password for OS drive protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.

Both the Recovery password and Recovery key can be supplied by users in the Control Panel applet (for data and removable drives), or in the preboot recovery screen. It's recommended to configure policy settings to customize the preboot recovery screen, for example by adding a custom message, URL, and help desk contact information. For more information, review the article BitLocker preboot recovery screen.

Answering the questions helps to determine the best BitLocker recovery process for the organization, and to configure BitLocker policy settings accordingly. For example, if the organization has a process for resetting passwords, a similar process can be used for BitLocker recovery. If users aren't allowed to save or retrieve recovery information, the organization can use a data recovery agents (DRAs), or automatically back up recovery information.

In each of these policies, select Save BitLocker recovery information to Active Directory Domain Services and then choose which BitLocker recovery information to store in AD DS. Use the option Do not enable BitLocker until recovery information is stored in AD DS to prevent users from enabling BitLocker unless the backup of BitLocker recovery information for the drive to Microsoft Entra ID or AD DS succeeds.

To recover BitLocker, a user can use a recovery password, if available. The BitLocker recovery password is unique to the device it was created on, and can be saved in different ways. Depending on the configured policy settings, the recovery password can be:

Having access to the recovery password allows the holder to unlock a BitLocker-protected volume and access all of its data. Therefore, it's important for your organization to establish procedures to control access to recovery passwords and ensure that they're stored securely, separate from the devices they protect.

There's an option for storing the BitLocker recovery key in a user's Microsoft account. The option is available for devices that aren't members of a domain and that the user is using a Microsoft account. Storing the recovery password in a Microsoft account is the default recommended recovery key storage method for devices that aren't Microsoft Entra joined or Active Directory joined.

Backup of the recovery password should be configured before BitLocker is enabled, but can also be done after encryption, as described in the BitLocker operations guide.

The preferred backup methodology in an organization is to automatically store BitLocker recovery information in a central location. Depending on the organization's requirements, the recovery information can be stored in Microsoft Entra ID, AD DS, or file shares.

There's no automatic way to store the recovery key for removable storage devices in Microsoft Entra ID or AD DS. However, you can use PowerShell or the manage.bde.exe command to do so. For more information and examples, review the BitLocker operations guide.

DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a data drive for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs.

The benefit of using a DRA over password or key recovery is that the DRA acts as a master key for BitLocker. With a DRA you can recover any volume protected by the policy, without having to find a specific password or key for each individual volume.

The BitLocker recovery information for Microsoft Entra joined devices can be stored in Microsoft Entra ID. The advantage of storing the BitLocker recovery passwords in Microsoft Entra ID, is that users can easily retrieve the passwords for the devices assigned to them from the web, without involving the help desk.

The BitLocker recovery password information stored in Microsoft Entra ID is a bitlockerRecoveryKey resource type. The resource can be retrieved from the Microsoft Entra admin center, the Microsoft Intune admin center (for devices enrolled in Microsoft Intune), using PowerShell, or using Microsoft Graph. For more information, see bitlockerRecoveryKey resource type.

The BitLocker recovery information for a device joined to an Active Directory domain can be stored in AD DS. The information is stored in a child object of the computer object itself. Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume.

The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the Backup recovery password and key package policy setting must be selected in the policy that controls the recovery method. The key package can also be exported from a working volume.

During a Cortex XDR PoC, the end user activated the Disk encryption policy on a couple of workstations without confirming the pre-requisities so these workstations encrypted the HDD (C:) and after the first reboot started asking for the bitlocker recovery key.

Now, the issue is that the key is not present on Active Directory and the user said that it got no other prompt to save the key on the endpoint. My question is that if XDR activated the bitlocker policy and if it was not able to save the recovery key, should it encrypt anyway? I now have a couple of workstations that have their disks encrypted and no way to rollback or unlock them.

Is there a tool or some some log which can show, what prerequisites are not met? I have some PC's I think are compliant, but the Disk Encryption Visibility portal doesn't share my opinion. And I don't know what is the problem.

BitLocker is a Microsoft encryption product that is designed to protect user data on a computer. If a problem with BitLocker occurs, you encounter a prompt for a BitLocker recovery key. If you do not have a working recovery key for the BitLocker prompt, you are unable to access the computer.

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10 and 11, Microsoft offers BitLocker Device Encryption support on a broader range of devices. These include those that support Modern Standby, and devices that run Windows 10 Home Edition or Windows 11. All computers that Dell currently ships are Modern Standby compliant and the above applies. A registry key that Dell leaves in a neutral state controls this behavior, neither prohibiting nor enforcing encryption. Windows interprets this as approval to encrypt.

BitLocker encryption is often intentionally activated by or on behalf of a user with full administrative access to your device. This user could be you, another user, or an organization managing your device. Dell does not enable BitLocker on any device, BitLocker is enabled by the user during setup or domain configuration by an administrator.

A BIOS update can trigger a BitLocker Recovery event as the PCR banks between the time Windows runs, and the time the BIOS is flashed, changes. However, all Dell BIOS updates suspend BitLocker before the flash so a BitLocker Recovery event cannot occur as a result of updating the firmware. If the computer goes into recovery mode, it is likely due to an external drive being connected as it changes the boot drive enumeration. Users can configure this in the BIOS. Outside of this specific scenario, there is not an event that triggers BitLocker encryption unexpectedly. The BitLocker encryption process happens in the background and often goes unnoticed by users until a Recovery event occurs.

3a8082e126