Retrieve BitLocker Recovery Key

Quick intro

BitLocker is like backup. It’s good to have it. It’s better to have the restore verified as well.

If you’re planning to implement BitLocker into your organization (or already have that), it’s good to know what’s the choice of storing the recovery password:

  • print
  • save to a file – either usb stick or unc share
  • backup to ActiveDirectory
  • backup to Azure ActiveDirectory
  • use MBAM

More information can be found here.

For me, the best approach would be to:

  • use GPO to encrypt end user device AND store the password in Active Directory

This can be configured here: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Store BitLocker recovery information in Acive Directory Domain Services.

This also ensures that encryption won’t start if recovery key failed to be backed up to AD.

  • use Intune and encrypt user device AND store the password in Azure Active Directory with self-service key recovery feature

This doesn’t introduce the cost of MBAM or SCCM.

What if you already have your drives encrypted, and now want to improve the process od recovering information? As always – PowerShell to the rescue. To send information to AD we can use Backup-BitLockerKeyProtector. It can accept either KeyProtectorID or the ID itself. Retrieving those is simple.

Ways to get BitLocker recovery key information to AD and Azure AD

Manage-BDE

We can get the information using manage-bde tool:

Retrieve information

Send to AD

PowerShell

This is more fun (objects) do I’ll describe this. Let’s first get information about our volumes:

As you can see I have only one drive, encrypted with TPM. To get the information we require just select-object

This returns two objects for each drive. We’re interested in the second object

Let’s store the information to ActiveDirectory now:

If I would have more drives, this would come in handy:

Azure Active Directory

Same goes with sending RecoveryKey to Azure AD, this time with BackupToAAD-BitLockerKeyProtector:

 Retrieve RecoveryKey

From AD

Now the best part – how to get the information back. Since Windows 2008 BitLocker Recovery Key is stored in AD in msFVE-RecoveryInformation objectclass aassociated to Computer. To get that we first need to get Computer Object and then search Active Directory for ObjecClass of given type. This is assuming your account have rights to read the information from AD in the first place! (great article here)

I’m using custom objects for better readability. Date shiws when the drive was encrypted, not when the information was backed up.

From Azure AD

There is a delay between using BackupToAAD-BitLockerKeyProtector and the information showing on AzureAD. Give it time to synchronize 🙂

Go to https://myapps.microsoft.com, go to the “Profile” page and see all the registered devices:

From there You can view the recovery password for You devices.

Btw – it’s not very intuitive – You cannot access this informatorom directly from office.com -> profie pages.

Advertisements

8 thoughts on “Retrieve BitLocker Recovery Key

  1. hi i need a help plz i lock my D drive to bitlocker and i lost of my both of password or key plz help me how i open to my drive to without bitlocker recovrey key or password

    Like

    1. Without key or password you’ll do nothing. If that would be on the same system You could try to unlock it (if keys were in TPM). Else – sorry, but that’s the power of encryption – no key=no data.

      Like

  2. Is there any way to back up the recovery keys using a csv file with the computer names and the recovery Id for each? MS is ending MBAM support so we are trying to see if it is possible to import the keys from a list instead of running a command on each machine (scripted or not)

    Like

      1. Invoke-Command throws he following error, but running it from the local machine works fine.

        The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed. (Exception from HRESULT: 0x8031000A)

        Like

Leave a Reply to Shawn Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s