Bitlocker helps to protect your data but sometimes can also prevent you from accessing your data. In these cases, you will need to enter the Bitlocker Recovery Key to unlock the data on your hard disk. But where do you find the recovery key?
Good to know is that the recovery key for Bitlocker is most of the time automatically stored in a safe location, which you can access from another device. But if you can’t find the recovery key, then the data can’t be decrypted anymore.
In this article
In this article, I will first explain briefly how Bitlocker works. But most importantly, we will take a look at the different places where we can find the Bitlocker Recovery Key.
How does Bitlocker work?
Before we look at the places where we can find the recovery key, it’s good to know how Bitlocker works. This may even result in solving the problem without the need for the recovery key.
Bitlocker is used to encrypt the data on your hard drive. This way, if somebody gains physical access to your device, they will be unable to read the data from your computer even if they place the hard drive into another computer. To do this, Bitlocker uses the TPM chip that is built-in into your computer. To encrypt and decrypt the data, a key is used that is stored inside the TPM chip.
When you start your computer, the TPM chip does a couple of measurements to check the computer hasn’t been tampered with. When everything is ok, then it will give the recovery key to Windows, so your computer can start up.
But if it detects a change, then it will ask for the Bitlocker Recovery Key to protect your data. The following changes can trigger the Bitlocker Recovery screen:
- Hardware changes
- BIOS changes
- Changes in the Windows Kernel files (updating / reinstalling Windows)
- Firmware updates
- Modifying boot components
Reverting Hardware Changes
The most important one to note from this list is the hardware change. You can change one hardware component at a time. Adding an additional RAM module won’t trigger the Bitlocker Recovery screen. But if you install a new video card and add RAM at the same time, then you might need to enter the recovery key.
So if you just have changed hardware components and can’t find the recovery key, then the easiest step to solve this, is to revert the hardware change. Once everything is restored as before, you will probably be able to boot your computer.
Then it’s important to first disable or suspend Bitlocker, make the changes, and then re-enable Bitlocker and store this time the key in a safe place.
Finding your BitLocker Recovery Key
When you enabled Bitlocker on your computer you were given a couple of options to store the recovery key. Good to know that you can’t store the recovery key on the encrypted drive itself. The options that are given are:
- Save to your Microsoft Account (for personal devices)
- Save to Azure AD (for company devices)
- Save to a file
- Print the recovery key
Save to a file is only possible on another drive or USB drive. So make sure that you check any USB drive or external hard drive that you have laying around.
Tip
If you have ever logged in with your workaccount on your personal computer, then it’s possible that the recovery key is stored in the Azure AD environment of your work. It might be worth reaching out the your works IT department for it.
Microsoft Account
For personal devices, you were given the option to save the Bitlocker Recovery Key to your Microsoft account. This is the most recommended option for personal devices, so let’s take a look in your Microsoft account. You can access your account from your phone or another device.
Tip
Your Microsoft Account doesn’t have be an @live, @hotmail or @outlook account name. It can be any email address as the user name, including Gmail, Yahoo!, personal or business email addresses.
So make sure you try all possible accounts that you have!
- Open account.microsoft.com
- Click on Sign-In and log in with your personal account
- Under Devices, click on view details under your computer
- Scroll a bit down and click on Manage recovery keys
- The recovery key will be listed here. If you see multiple keys, use the last one or make sure that the Key ID match.
Saved to a File or USB
When you have chosen to save the recovery key to a file or USB, then the key is stored inside a text file. In the text file, you will find the Key ID (Identifier), which should match the ID that you see on your blue screen and also the recovery key
The name of the text file starts with BitLocker Recovery Key followed by an ID. Keep in mind that the file can only be stored on a hard drive that isn’t encrypted with BitLocker.
If you have multiple hard drives or partitions in your computer, then it’s possible that you have stored it on another disk. To access the drive, you can remove your hard drive from your computer, and connect to another computer. You will then be able to access all non-encrypted partitions and search for the recovery key.
You can use the following small PowerShell script to automatically search for the recovery file:
# Search the D: Drive for a filter that starts with 'Bitlocker Recovery Key' Get-ChildItem -Path d:\ -Filter 'Bitlocker Recovery Key*' -Recurse
Azure AD
Is it a company-owned device and is your company using Microsoft Office 365? Then there is a good chance that your system administrator can find the recovery key in Azure AD.
- Open Azure Portal
- Click on Azure Active Directory
- Select Devices on the left side
- Click on All Devices
- Open the device in question
You will find the Bitlocker Recovery Key at the end of the Properties page. If you see multiple Bitlocker keys, then make sure that the ID matches the one on the bluescreen.
If you don’t know the device name, then you can also search through all recovery keys using the Bitlocker Key ID, which is displayed on the Bluescreen on the client’s device. In Azure AD, select Bitlocker Keys under the Devices and enter the key ID.
Active Directory
The recovery keys can also be stored in your Active Directory when configured correctly. For this, the policy “Store Bitlocker Recovery information in Active Directory” needs to be enabled, which you can find in the group policies under Windows Components > Bitlocker Drive Encryption.
To view the recovery keys, we need to open the computer properties in the Active Directory:
- Open the Active Directory Users and Computers
- Open the computer in question
- Click on the Bitlocker Recovery tab to view the Recovery password
If you don’t see the Bitlocker Recovery tab in the Active Directory, then you will need to add a feature in the server manager.
- Open the Server Manager
- Click on Manage > Add Roles and Features
- Click Next and select Features
- Expand Remote Server Administration Tools
- Enable Bitlocker Drive Encryption Administration Utility under Feature Administration Tools
- Click on Install
- Re-open the Active Directory, the tabs should be visible now
If you don’t know the computer name of the device in question, then you can also search for the key in Active Directory. Right-click on the domain and select Find BitLocker Recovery password. You can then search on the password ID using the first 8 characters that are displayed on the client.
Network folder
Another option is that the recovery keys are stored in a network folder. There is a group policy in the Active Directory that can be configured which will set a default folder path to store the recovery password file. So if you can find the keys in any of the above places, then it might be a good idea to check if the policy is configured.
The best way to find out if the policy is set is to run an RSOP (Result Set of Policies) on the client. Follow this article to run the RSOP and check if the following policy is set:
Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Choose default folder for recovery password.
Back up your Bitlocker Recovery Key
If you were able to gain access to your computer with one of the methods mentioned above, then it might be a good idea to make additional backups of your recovery key. The best place for this is in the cloud, this way you can access it from any location. To do this you will need to add a Microsoft account to your computer under Settings > Accounts.
To create additional backups of the key, open the start menu and search for Bitlocker. In the BitLocker Drive Encryption screen, choose Backup your Recovery key.
Choose one of the methods, for example, Print the recovery key and store it in the safe or other places that you have for important personal information.
Wrapping Up
I really hope you were able to recover the key with one of the methods above. When you were unable to recover the key in one of the places above, then your only option will be re-install Windows, which will result in the loss of all your data. Even Microsoft support can’t recover the key for you.
If you have any questions or tips then just drop a comment below.
Thanks, had just deployed a new DC pair and was checking before demoting the old ones and couldn’t find my Bitlocker keys in AD. Panic. The reminder to install the Admin tools was worth its weight in gold.