How to: Find the BitLocker Recovery Key in Microsoft Entra ID

Summary

There are two different use cases where either an end-user or a system administrator needs to find the BitLocker recovery key. In addition, Microsoft has multiple user interfaces and administrative portals to navigate in order to find the recovery key. While it is helpful to be able to find the recovery key through different interfaces, this can confuse users and complicate training or documentation. This article documents how to find the BitLocker Recovery Key and the various options available.

Understanding BitLocker Recovery Keys in Microsoft Entra ID

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. When BitLocker is enabled on a device, the recovery key is automatically saved to Microsoft Entra ID (formerly Azure AD) if the device is joined to Entra ID or if the user signs in with a Microsoft account.

Modern Windows devices (Windows 8.1 and later) that support Modern Standby will automatically enable BitLocker Device Encryption, with recovery keys automatically saved to the user's Microsoft account or organizational Entra ID.

End-User Self-Service Options

Personal Microsoft Account

If you're using a personal device with a Microsoft account:

1. Visit https://aka.ms/myrecoverykey
2. Sign in with your Microsoft account
3. Locate the BitLocker key ID that matches the one displayed on your recovery screen
4. Use the corresponding recovery key to unlock your drive

Company Portal for Work Devices

If your device is managed by your organization through Intune:

1. Sign into the Intune Company Portal website from any device
2. Go to Devices and select your BitLocker-encrypted device
3. Select "Get recovery key"
4. The recovery key will be displayed and can be copied

Administrator Options

Microsoft Entra ID Portal (formerly Azure AD)

1. Open the Microsoft Entra admin center at https://entra.microsoft.com
2. Go to "Devices" > "All devices"
3. Search for and select the device
4. View the BitLocker recovery keys under the device properties

Microsoft 365 Admin Center

1. Sign in to the Microsoft 365 admin center at https://admin.microsoft.com
2. Go to "Show all" > "Admin centers" > "Endpoint Manager"
3. The browser will open the Microsoft 365 Device Management interface at https://devicemanagement.microsoft.com
4. Go to "Devices" > "All devices"
5. Select the BitLocker-encrypted device
6. Select "Recovery keys" under Monitor
7. View and copy the BitLocker recovery key

Method for Administrators

Administrators can retrieve BitLocker recovery keys using :

function Get-EntraBitLockerKeys {
    param (
        [string]$DeviceName
    )

    # Query Entra ID for the device's BitLocker keys
    # Implementation details would go here
}

# Usage example
Get-EntraBitLockerKeys -DeviceName "DESKTOP-53O32QI"

Administrative Roles and Permissions

There are several Microsoft Entra ID roles that allow delegated administrators to read BitLocker recovery passwords:

• Cloud Device Administrator (built-in role)
• Helpdesk Administrator (built-in role)
• Custom roles with the microsoft.directory/bitlockerKeys/key/read permission

Access to BitLocker keys can be scoped to specific Administrative Units for more granular control.

Troubleshooting

Keys Not Showing in Entra ID

If BitLocker keys are not appearing in Entra ID after encryption:

1. Check that the encryption profile was successfully applied
2. Verify the device is compliant with organizational policies
3. Ensure "Save BitLocker recovery information to Microsoft Entra ID" is enabled in your policy
4. For persistent issues, try removing and re-enrolling the device

Recovering Keys for Unjoined Devices

If a device was previously joined to Entra ID but has since been unjoined:

1. An administrator can still access the recovery key if they have the device ID
2. The key may still be accessible in Entra ID by searching for the specific BitLocker key ID
3. Contact your IT department as they may have backup procedures for these scenarios

Best Practices for BitLocker Management

Recommended Workflows and Processes

1. Proactive Key Management
   • Implement a regular audit process to verify all devices have their BitLocker keys properly escrowed to Microsoft Entra ID
   • Use Intune compliance policies to ensure BitLocker is enabled on all applicable devices
   • Configure automatic recovery password rotation for Entra-joined devices to enhance security
2. End-User Recovery Process
   • Create a self-service knowledge base article for users to find their own recovery keys when possible
   • Implement a standard help desk ticket template for BitLocker recovery requests that includes:
     • Device name and/or serial number
     • User identity verification steps
     • Required approvals (if applicable)
     • Post-recovery documentation
3. Administrator Recovery Process
   • Suspend BitLocker before planned firmware updates to prevent recovery mode
   • Document which administrators have permissions to access BitLocker recovery keys
   • Maintain a secure log of recovery key access for audit purposes
   • Establish an emergency recovery process for situations where keys aren't available in Entra ID
4. Recovery Documentation
   • Maintain detailed documentation of where recovery keys are stored for different device types
   • Create step-by-step guides for both users and IT staff
   • Include screenshots of the various recovery key access methods
   • Update documentation whenever Microsoft interfaces change

Need Help With BitLocker Recovery?

If you're experiencing BitLocker issues or need to retrieve a recovery key, we're here to help:

1. For Self-Service Recovery: Try the methods outlined in the "End-User Self-Service Options" section above.
2. For IT Support:
   • We provide services to submit a support ticket at: [your-support-portal.com]
   • Include your device name, username, and BitLocker ID (if visible on screen)
   • We provide services to call our dedicated BitLocker recovery hotline.
3. For Preventative Guidance:
   • Schedule a BitLocker strategy consultation with our team
   • Request an audit of your current BitLocker implementation
   • Sign up for our monthly security newsletter

Contact us today or visit https://365adviser.com/contact/ to ensure your organization is maximizing the security benefits of BitLocker while minimizing recovery incidents.

References

• Microsoft Support: Find your BitLocker recovery key
• Microsoft Learn: BitLocker recovery process
• Microsoft Learn: Tenant attach - BitLocker recovery keys
• Dell Support: BitLocker is Prompting for a Recovery Key
• Microsoft Q&A: Bitlocker key not showing in Entra ID
• Microsoft Q&A: How to get BitLocker recovery key from Entra ID Unjoined Device