mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 11:23:45 +00:00
4.1 KiB
4.1 KiB
title, description, ms.collection, ms.topic, ms.date
| title | description | ms.collection | ms.topic | ms.date | ||
|---|---|---|---|---|---|---|
| Manage BitLocker recovery password | Learn how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS). |
|
how-to | 09/29/2023 |
Recovery password
Reset recovery password
It's recommended to invalidate a recovery password after its use. In following example, all recovery passwords are removed from the OS drive
:::image type="icon" source="images/powershell.svg"::: PowerShell
Remove all recovery passwords for the OS volume
(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | `
where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | `
Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive
Add a BitLocker recovery password protector for the OS volume
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector
Backup the BitLocker recovery password to Microsoft Entra ID
This step is not required if the policy setting Choose how BitLocker-protected operating system drives can be recovered is configured to Require BitLocker backup to AD DS.
(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword
BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{GUID}"
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
Remove previous recovery passwords for the OS volume
manage-bde.exe -protectors -delete C: -type RecoveryPassword
Add the new recovery passwor
manage-bde.exe -protectors -add C: -RecoveryPassword
Obtain the ID of the new recovery password
manage-bde.exe -protectors -get C: -Type RecoveryPassword
From the screen, copy the ID of the recovery password.
Back up the new recovery password to AD DS
This step is not required if the policy setting Choose how BitLocker-protected operating system drives can be recovered is configured to Require BitLocker backup to AD DS.
manage-bde.exe -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
Note
The braces
{}must be included in the ID string.
Retrieve Bitlocker recovery keys for a Microsoft Entra joined device
function Get-EntraBitLockerKeys{
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")]
[string]$DeviceName
)
$DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId
if ($DeviceID){
$KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id
if ($keyIds) {
Write-Host -ForegroundColor Yellow "Device name: $devicename"
foreach ($keyId in $keyIds) {
$recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
Write-Host -ForegroundColor White " Key id: $keyid"
Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
}
} else {
Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"
}
} else {
Write-Host -ForegroundColor Red "Device $DeviceName not found"
}
}
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome
Output example
PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI
Device name: DESKTOP-53O32QI
Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4
BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579
Key id: 045219ec-a53b-41ae-b310-08ec883aaedd
BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773