deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-04 16:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/operating-system-security/data-protection/bitlocker/manage-recovery-passwords.md
Paolo Matarazzo fc2fa0623b updates
2023-10-17 10:52:52 -04:00

6.9 KiB
Raw Blame History

title, description, ms.collection, ms.topic, ms.date
title description ms.collection ms.topic ms.date
Manage BitLocker recovery passwords Learn how to manage BitLocker keys for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices.
highpri
tier1
how-to 09/29/2023

Manage BitLocker recovery passwords

Reset recovery password

It's recommended to invalidate a recovery password after its use. In following example, all recovery passwords are removed from the OS drive

:::image type="icon" source="images/powershell.svg"::: PowerShell

Remove all recovery passwords for the OS volume

(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | `
  where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | `
  Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive

Add a BitLocker recovery password protector for the OS volume

Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

Obtain the ID of the new recovery password

(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword

Copy the ID of the recovery password from the output.

Backup the BitLocker recovery password to Microsoft Entra ID

Using the GUID from the previous step, replace the {ID} in the following command:

BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}"

Note

The braces {} must be included in the ID string.

:::image type="icon" source="images/cmd.svg"::: Command Prompt

manage-bde.exe can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.

Remove previous recovery passwords for the OS volume

manage-bde.exe -protectors -delete C: -type RecoveryPassword

Add the new recovery password for the OS volume

manage-bde.exe -protectors -add C: -RecoveryPassword

Obtain the ID of the new recovery password

manage-bde.exe -protectors -get C: -Type RecoveryPassword

Copy the ID of the recovery password from the output.

Backup the new recovery password to AD DS

Note

This step is not required if the policy setting Choose how BitLocker-protected operating system drives can be recovered is configured to Require BitLocker backup to AD DS.

Using the ID from the previous step, replace the {ID} in the following command:

manage-bde.exe -protectors -adbackup C: -id {ID}

Note

The braces {} must be included in the ID string.

Retrieve Bitlocker recovery keys for a Microsoft Entra joined device

function Get-EntraBitLockerKeys{
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")]
        [string]$DeviceName
    )
    $DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId
    if ($DeviceID){
      $KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id
      if ($keyIds) {
        Write-Host -ForegroundColor Yellow "Device name: $devicename"
        foreach ($keyId in $keyIds) {
          $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
          Write-Host -ForegroundColor White " Key id: $keyid"
          Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" 
        }
        } else {
        Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"
      }
    } else {
        Write-Host -ForegroundColor Red "Device $DeviceName not found"
    }
}

Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome

Output example

PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI
Device name: DESKTOP-53O32QI
 Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4
 BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579
 Key id: 045219ec-a53b-41ae-b310-08ec883aaedd
 BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773

Retrieve Bitlocker recovery keys from Active Directory with BitLocker Recovery Password Viewer

BitLocker Recovery Password Viewer is an optional tool included with the Remote Server Administration Tools (RSAT). With Recovery Password Viewer, you can view the BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). The tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.

With BitLocker Recovery Password Viewer you can:

  • Check the Active Directory computer object's properties to find the associated BitLocker recovery passwords
  • Search Active Directory for BitLocker recovery password across all the domains in the Active Directory forest. Passwords can also be searched by password identifier (ID)

Requirements

To complete the procedures in this scenario, the following requirements must be met:

  • Domain administrator credentials
  • Devices must be joined to the domain
  • On the domain-joined devices, BitLocker must be enabled

The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.

Install BitLocker Recovery Password Viewer

View the recovery passwords for a computer object

  1. In Active Directory Users and Computers, locate and then select the container in which the computer is located
  2. Right-click the computer object and select Properties
  3. In the Properties dialog box, select the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the computer

Copy the recovery passwords for a computer object

  1. Follow the steps in the previous procedure to view the BitLocker recovery passwords
  2. On the BitLocker Recovery tab of the Properties dialog box, right-click the BitLocker recovery password that needs to be copied, and then select Copy Details
  3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet

Locate a recovery password by using a password ID

  1. In Active Directory Users and Computers, right-click the domain container and select Find BitLocker Recovery Password
  2. In the Find BitLocker Recovery Password dialog box, type the first eight characters of the recovery password in the Password ID (first 8 characters) box, and select Search
  3. Once the recovery password is located, you can use the previous procedure to copy it