BitLocker key recovery how-to

What is a recovery key?

A recovery key is a 48-bit string that can be used to access the contents of a computer's encrypted hard disk if the password is forgotten by the user. Also in the case of a hardware malfunction that has severely damaged the hard disk, the contents of the drive can still possibly be accessed by inserting the drive in another computer and entering the recovery key.

After a BitLocker encryption policy is deployed, the BitLocker configuration process will be initiated during PC boot. Once this process is completed, the recovery key will be automatically generated. The admin can create or modify BitLocker policies using such that the recovery key information is also updated in the domain controller.

To easily retrieve the recovery key, it is recommended that it is backed up in the domain controller. Follow these steps to back up the recovery key data:

  1. Ensure that for all managed computers, the group policy (GPO) allows the recovery key data to be updated in the domain controller.
  2. Navigate to the product console > BitLocker > Policy creation > Create policy. Enable the option 'Update recovery key to domain controller.'

Note: By enabling this option, every time a new key is generated, it will automatically be updated in the Active Directory.

What are the ways in which the recovery key can be obtained in an organizational setup?

There are two ways the recovery key can be found:

  • Using the Endpoint Central console
  • Using Active Directory Users And Computers

Using the Endpoint Central console

To find the recovery key using this method, the recovery key identifier of the specific machine has to be obtained first. Follow these steps in order to find the recovery key identifier:

  1. Navigate to the product console > BitLocker module > Insights > Managed Systems.
  2. From the list view, select the system whose recovery key identifier you want to find. The machine summary page for the computer will be displayed. In the table, the recovery key identifier will be shown. You have successfully found the recovery key identifier of a machine using the Endpoint Central console.
  3. Once the recovery key identifier is found, navigate to the product console > BitLocker > Retrieve Recovery Key.
  4. Enter the recovery key ID. After the first five characters are entered, the options will be displayed. Select the relevant recovery key ID from the drop down.
  5. Once the recovery key identifier is selected. The corresponding details will be displayed including the recovery key, the persistent volume ID and last server updated time.

You have successfully obtained the recovery key using the Endpoint Central console.

Using the Active Directory Users And Computers (ADUC)

Active Directory Users And Computers console enables admins to manage their active directory objects. It can be used as a Remote Server Administration tool (RSAT) to find the recovery key directly from a Windows machine. Follow these steps to find the recovery key and password ID of a specific managed computer:

  1. Open the Active Directory Users And Computers console.
  2. Open the 'Properties' tab of the managed computer.
  3. Click on 'BitLocker Recovery.' The BitLocker recovery key and Password ID of the computer will be displayed.

You have successfully found the Recovery key of a Windows machine using ADUC.

Download a 30-day free trial and try it out for yourself!

List of ManageEngine BitLocker Management documentation

  1. BitLocker Management
  2. How to find BitLocker recovery keys
  3. How to create a BitLocker management policy
  4. BitLocker overview
  5. Frequently asked questions
  6. Complete feature list

For more information on the new Endpoint Security suite products including BitLocker Management, refer here.