Recovery Key

Introduction

A recovery key is a 48-bit string used to unlock an encrypted hard drive if the password is forgotten. Even in cases of severe hardware damage, the drive's contents might be recoverable by installing it in another computer and providing the correct recovery key. It is also useful when the user forgets their password.

After a BitLocker encryption policy is deployed, the BitLocker configuration process will be initiated during PC boot. Once this process is completed, the recovery key will be automatically generated. The admin can create or modify BitLocker policies using such that the recovery key information is also updated in the domain controller.

NOTE: Both Windows AD and Azure AD are supported for the backup of recovery keys

To retrieve the recovery key easily, it is recommended that it is backed up in the domain controller. Follow these steps to back up the recovery key data:

• Ensure that for all managed computers, the group policy (GPO) allows the recovery key data to be updated in the domain controller. Refer to this page for details regarding BitLocker Group Policy Settings.
• Navigate to the product console > BitLocker > Policy creation > Create policy. Enable the option 'Update recovery key to domain controller'. To learn more about the option and configuring BitLocker policies, refer to this page.

NOTE: By enabling this option, every time a new key is generated, it will automatically be updated in the Active Directory.

Ways to retrieve Recovery Key

• Through Endpoint Central's console
• Through Active Directory Users And Computers

Retrieve Recovery Key using Endpoint Central

The recovery key will be automatically generated during the BitLocker configuration process, and for domain users, it can be backed up in the AD. When there are cases where the end user forgets the PIN or passphrase, it's best to provide them with the recovery key. Kindly follow the below steps to retrieve the recovery key using the Endpoint Central console:

• Finding recovery key identifier: The recovery key identifier can be utilized to find the recovery key for a particular computer. The recovery key identifier can be found by the admin within the console in the Managed systems section under the summary for the particular computer.

  

• Retrieving recovery key: The recovery key can be obtained by entering the recovery key identifier or the computer name in the console within the Retrieve Recovery Key section. Once you access the recovery key of a specific machine, the recovery key gets rotated at the next startup of that machine.

  

Retrieve Recovery Key using Active Directory Users And Computers

Active Directory Users And Computers console enables admins to manage their active directory objects. It can be used as a Remote Server Administration tool (RSAT) to find the recovery key directly from a Windows machine. Follow these steps to find the recovery key and password ID of a specific managed computer:

• Open the Active Directory Users And Computers console.
• Open the 'Properties' tab of the managed computer.
• Click on 'BitLocker Recovery'. The BitLocker recovery key and Password ID of the computer will be displayed.

  

You have successfully found the Recovery key of a Windows machine using ADUC.

Recovery Key Retention Policy

The storage of the recovery key is essential that even after retaining the recovery key in the Endpoint Central server, we have the option to back it up into the customer's Active Directory, both Azure AD and on-premise AD. The recovery key(s) of the computer(s), when removed from SoM, is retained in the server for up to one year. You can retrieve the recovery key(s) using the recovery key identifier. The option to retain the recovery key can be enabled by clicking the toggle button located in the top right corner of the Retrieve Recovery Key page. The encryption of a machine is never initiated until the recovery key is successfully stored in the EC server.

If you have any further questions, please refer to our Frequently Asked Questions section for more information.