So your computer broke. Then, you got yourself a new one and needed to get your files off the old hard drive. Then it hit you; you have an encrypted drive using BitLocker! What's makes it worst is when you don't know the recovery key to go past the BitLocker protection. What now?

Before you throw away that hard drive or pay to recover your files, know that you may still be able to find your BitLocker recovery keys. You just have to know where to look. In this article, you will learn the different ways to back up, manage, and find BitLocker recovery keys to save yourself from losing access to your data.

Before You Begin

This article covers working with BitLocker that is included in the business editions of the Windows 10 operating system. The examples in this article do not apply to Windows 10 consumer editions.

Some examples are applicable only when using a domain user account, a Microsoft account, Azure Active Directory user account, or a local user account. So, please don't get confused if one or more of the example does not apply to your case.

Also, if you are not familiar with BitLocker, or if you just want a refresher, you may want to read about the BitLocker Overview first.

Saving BitLocker Recovery Keys

There are several ways that BitLocker keys may be stored or backed up. In some situations, these recovery keys are backed up automatically, other times, they can be backed up manually.

In this section, you'll learn about each of the possible ways that the BitLocker recovery keys are backed up. In turn, these backup methods should help you find your BitLocker recovery keys when you need them.

Accessing the BitLocker Management

Before you can manage your BitLocker drive encryption, you must first access the BitLocker management on your Windows 10 computer.

To access BitLocker management, go to Control Panel —> System Security —> BitLocker Drive Encryption.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/84d6d413-c9e2-4277-aefb-876bc312fa07/Untitled.png
Access BitLocker from Control Panel

Another way to get to the BitLocker management is by locating the encrypted drive from the File Explorer —> Right-Click on the Drive —> Click Manage BitLocker.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/0b3911c7-9e49-4438-bbe2-af7e9a166331/Untitled.png
Access BitLocker from the drive's context menu

Saving the Recovery Key to a USB Storage Device

One of the options for storing your BitLocker recovery key is by exporting it to a USB storage device. Consider using this option if you have a USB storage device that you always have with you.

To export your BitLocker recovery key, you must access the BitLocker page first. Once in the BitLocker page, locate the encrypted drive from the list. Then, click on Backup your recovery key.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/95756f1d-22eb-4a57-9e9a-6f235ff5c29d/Untitled.png
Click on the Backup your recovery key link

When asked, "How do you want to backup your recovery key?", select Save to a USB flash drive.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/514492f7-adf6-4833-8eaa-d146720a8928/Untitled.png
Save to a USB flash drive

You will be prompted to insert a USB flash drive and then select the drive from the list. Then, click Save.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ae67bfa4-b430-4aab-addf-63046cc7a727/Untitled.png
Select the USB device from the list

Then, click on Finish. Now that the BitLocker recovery key is backed up to your USB drive. The contents of the recovery key backup would be similar to the one shown in the screenshot below.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/11f6ddb6-8850-41ad-bb47-92f1d8e49c8f/Untitled.png
Sample of the recovery key backup file contents
Note: You cannot use a USB drive that is also BitLocker encrypted. Any attempt to use an encrypted drive to save the recovery key will result in the error shown below.
https://s3-us-west-2.amazonaws.com/secure.notion-static.com/af6bb293-eba3-4830-8b8e-7c48bea9c29c/Untitled.png
Error when saving the recovery key to an encrypted drive

Saving the Recovery Key to a TXT File

This next method of saving the BitLocker recovery key is somehow similar to saving the recovery key to a USB drive. However, the difference is that, in this method, you can choose where the file containing the recovery key file will be saved.

This method is excellent if you want to save your recovery to a location other than your local machine, like, your network drive.

Go to the BitLocker page and click on the Backup your recovery key link. From the list of options, click on Save to a file.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/d8d81ff3-0645-4b43-8e1b-27ac487a8932/Untitled.png
Save to a file

You will be prompted with the dialog where you can specify where to save the file. In this example, the file containing the BitLocker recovery key will be saved to a USB drive. Click on Save.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f14c2745-d4dd-452e-8d4a-f1d57ece52ae/Untitled.png
Save the BitLocker recovery key to a file
Note: If you chose to save the file to an encrypted drive, you would get a warning that the file cannot be saved. You must save the file to a drive that is not encrypted.

Printing the Recovery Key to Paper or File

One more option for saving the BitLocker recovery key is by printing it to paper or to a file like a PDF. The process is similar to the first two methods already discussed. But, in this method, you will click on Print the recovery key option.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/b5c32af7-48c4-432b-80b5-8a530fcd21da/Untitled.png
Print the recovery key

Then, select the printer you wish to use when you get the Print page. In this example, the Microsoft Print to PDF printer driver is used.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/04ac914c-f577-4c9a-8276-77de89215f6f/Untitled.png
Print the recovery key file to a PDF

Then, select the location where you want to save the PDF file containing the BitLocker recovery key. In this example, the PDF file is saved to the USB drive.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/324e4c91-0f72-4ec9-8a62-98c9ad65702d/Untitled.png
Save the BitLocker recovery key to PDF
Note: You will not be warned about this, but do not keep the BitLocker key backup in the same drive that is also encrypted with BitLocker.

Saving the Recovery Key to Your Microsoft Account

If you are logged in to your Windows 10 PC using your Microsoft Account, BitLocker gives you the option to save your recovery key to your account in the cloud.

The advantage of using this option is that you do need to manually take an inventory of your BitLocker keys. As long as you have access to your Microsoft account, you should be able to find the recovery keys online while logged in to your Microsoft account.

To use this option, go to the BitLocker management in Control Panel. Then, you will be presented with options, as shown below. Click on the option to Save to your Microsoft account.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/60da459f-c354-48d4-84fc-ffe8ed8bf816/Untitled.png
Save the recovery key to the Microsoft account

After clicking on the Save to your Microsoft account option, the recovery key will be saved to your Microsoft account quickly without any more messages. Click Finish when done.

Saving the Recovery Key to Active Directory

BitLocker keys can also be automatically saved in Active Directory. This is done by deploying a group policy to select users or the entire domain.

In situations where group policy is applied, when BitLocker is turned on for a drive, there's no action required from you to backup your drive's BitLocker recovery key.

If you need to learn more about saving BitLocker recovery keys in Active Directory, you can visit - Store BitLocker Recovery Keys using Active Directory.

Saving the Recovery Key to Azure Active Directory

If your computer is joined to an Azure Active Directory domain, saving your BitLocker recovery key to your Azure AD domain account is possible.

To take advantage of this option, go to the BitLocker management in Control Panel. Then, you will be presented with options, as shown below. Click on the option to Save to your cloud domain account.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f94958dc-988e-43b7-be35-87c9b22732a6/Untitled.png
Save the recovery key to Azure Active Directory

You will see a progress indicator shown briefly on your screen similar to the screenshot below.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/2b605478-bf2e-4c65-ae54-994774c22148/Untitled.png

Once the save operation is complete, you can click Finish to exit the BitLocker management.

Finding BitLocker Recovery Keys

You've seen in the previous sections how to save a backup of your BitLocker recovery keys. If you chose to save to a file, USB, or to a printed document, then you'd obviously know where to find those recovery keys whenever you need them.

In the next sections, you will learn how to find the BitLocker recovery keys from Azure Active Directory, Active Directory, and Microsoft Account

Finding the Recovery Key from Active Directory

Unfortunately, finding BitLocker recovery keys from the Active Directory is not readily available for users. Unless your organization's admins provide a way for users to find recovery keys on their own, the default choice is for you to call them and ask.

Typically, when you get to a point when you need to enter the recovery key, the BitLocker recovery key ID is already displayed on your screen. You must provide your admin the first 8 characters of the BitLocker recovery key id of your encrypted drive.

Suppose that you're unlocking the drive with recovery key ID: D79286AF. If you provide that ID to your admin, they can search for the recovery key in Active Directory using that ID.

The admin will go to Active Directory Users and Computers, click on Action and select Find BitLocker recovery password.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/adf9eed3-e6e3-4aed-9c44-e5defb5c976b/Untitled.png

Then, the admin will enter the recovery key ID that you provided and start a search for it. Refer to the screenshot below. The image shows the example of searching for BitLocker recovery passwords in Active Directory.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e77e33ef-65f1-4d83-bcdd-2df96356e73c/Untitled.png
Searching the BitLocker recovery key in Active Directory

The admin will then provide you with the recovery password, which you can then use to unlock the BitLocker drive encryption.

Finding the Recovery Key From Your Microsoft Account

Once you've saved your BitLocker key to your Microsoft account, it is only natural that you would want to confirm that the key was indeed saved. Lucky for you, the way to do that is simple.

First, go to the BitLocker recovery keys site and log in using your Microsoft account. Once logged in, you should see a list of the BitLocker keys that are associated with your account.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/255acbd8-f997-482b-bb8c-43ea8832aa7d/Untitled.png
BitLocker recovery keys in your Microsoft Account

As you can see from the screenshot above, the keys are itemized based on which device they keys were generated from. You can see as well that in the example above, there are two keys associated with the Microsoft account; one for the Operating System Volume and one for the Removable Drive Volume.

Finding the Recovery Key From Azure Active Directory

There are Azure Active Directory setups that allow users to see their BitLocker keys on their own. In the example below, the screenshot shows that in the user's Azure Active Directory profile page, there is a list of devices, and has a link to get the BitLocker keys.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/824e742f-b08f-4c7e-9350-8fd5d0f57e66/Untitled.png
List of devices in the Azure AD profile page

After clicking on the Get BitLocker keys link, the recovery keys associated with the computer will be displayed in a pop-up similar to the one below.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/c5319854-d03e-49bd-abe6-9c5ffeb01660/Untitled.png
BitLocker recovery key from the Azure AD user profile page

If the BitLocker recovery keys are not available in your Azure AD user profile, you need to contact your admin and request those recovery keys. You must provide the first 8 characters of the recovery key ID. The admin can use it to search for your BitLocker recovery key in the Azure Active Directory Admin Center.

As you can see from the example screenshot below, the admin can find the BitLocker recovery key associated with the user's account and device.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/1deccfb7-e66f-4aa7-8ef2-bb6528f9ee67/Untitled.png
Finding the recovery key from the Azure AD account

Unlocking BitLocker Encrypted Drives

At this point, you already know how to back up and find your recovery keys. In the next sections,  you will learn how to use those recovery keys to unlock BitLocker encrypted drives.

Unlocking an Encrypted Operating System Drive

Operating system drives can become locked and require entering the BitLocker recovery key. When this happens, you are essentially dealing with a locked pc. The reasons why a drive might get locked may include the following:

  • Hardware or firmware upgrade.
  • Hardware drivers installation.
  • Corrupted TPM module.
  • Drive was transferred to another computer.

When an operating system drive got locked, you will get a prompt during boot time that is similar to the screenshot below.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f916f12d-f334-46ed-9158-2222d2bb4866/Untitled.png
BitLocker recovery key prompt during boot

As you can see from the screenshot above, the BitLocker recovery key needed to be entered to unlock the drive.

Unlocking an Encrypted Fixed or Removable Drive

There are times when you need to attach an encrypted fixed or removable drive to another computer. Before you can access the data on those encrypted drives, the drives must be unlocked first.

The image below shows what the icon of the drive looks like when it is locked.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/54f5d708-a40f-4621-a525-bd0651b37fef/Untitled.png
Locked drive

When you try to unlock a removable or fixed drive in Windows, you will be prompted to enter the recovery key, as shown below.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/1b6cde87-981f-4418-b5ee-d63d00691074/Untitled.png
Unlocking a drive in Windows

After unlocking the drive, you should be able to gain access to its contents. The icon of the drive also changes to the one shown below.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/396370f4-289c-43b3-8651-f93748696a8c/Untitled.png
Unlocked drive

Conclusion

In this article, you've learned the different ways that you can backup, manage, and find your BitLocker recovery keys. You've learned which way of saving the recovery key is most appropriate for every situation.

You can never go wrong with saving the BitLocker recovery keys to a USB drive, a file, or to a printed document. These three options of storing recovery keys allow for quick retrieval should you need to unlock an encrypted drive.

Saving your recovery keys to your Microsoft account gives you the flexibility of retrieving your BitLocker recovery passwords from anywhere.

Automatically saving the recovery keys in Active Directory ensures that those keys can be retrieved from a central source. Even if the users neglect to back up the recovery keys themselves.

Lastly, manually saving recovery keys to Azure Active Directory is another excellent way to ensure that recovery passwords are always recoverable.

Backup your recovery keys and never lose your access to your data again because of possible BitLocker encryption faults.

Further Reading