deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
425db8cdf38c3dce6396ee31be88327280403c8a
windows-itpro-docs/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md
Paolo Matarazzo 425db8cdf3 updates
2023-10-12 08:19:00 -04:00

121 lines
4.1 KiB
Markdown
Raw Blame History

---
title: Manage BitLocker recovery password
description: Learn how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS).
ms.collection:
- highpri
- tier1
ms.topic: how-to
ms.date: 09/29/2023
---
# Recovery password
## Reset recovery password
It's recommended to invalidate a recovery password after its use. In following example, all recovery passwords are removed from the OS drive
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
#### Remove all recovery passwords for the OS volume
```PowerShell
(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | `
where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | `
Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive
```
#### Add a BitLocker recovery password protector for the OS volume
```PowerShell
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector
```
#### Backup the BitLocker recovery password to Microsoft Entra ID
This step is not required if the policy setting **Choose how BitLocker-protected operating system drives can be recovered** is configured to **Require BitLocker backup to AD DS**.
```PowerShell
(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword
BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{GUID}"
```
#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
`manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
##### Remove previous recovery passwords for the OS volume
```cmd
manage-bde.exe -protectors -delete C: -type RecoveryPassword
```
##### Add the new recovery passwor
```cmd
manage-bde.exe -protectors -add C: -RecoveryPassword
```
##### Obtain the ID of the new recovery password
```cmd
manage-bde.exe -protectors -get C: -Type RecoveryPassword
```
From the screen, copy the ID of the recovery password.
##### Back up the new recovery password to AD DS
This step is not required if the policy setting **Choose how BitLocker-protected operating system drives can be recovered** is configured to **Require BitLocker backup to AD DS**.
```cmd
manage-bde.exe -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
```
> [!NOTE]
> The braces `{}` must be included in the ID string.
---
## Retrieve Bitlocker recovery keys for a Microsoft Entra joined device
``` PowerShell
function Get-EntraBitLockerKeys{
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")]
[string]$DeviceName
)
$DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId
if ($DeviceID){
$KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id
if ($keyIds) {
Write-Host -ForegroundColor Yellow "Device name: $devicename"
foreach ($keyId in $keyIds) {
$recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
Write-Host -ForegroundColor White " Key id: $keyid"
Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
}
} else {
Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"
}
} else {
Write-Host -ForegroundColor Red "Device $DeviceName not found"
}
}
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome
```
### Output example
``` PowerShell
PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI
Device name: DESKTOP-53O32QI
Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4
BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579
Key id: 045219ec-a53b-41ae-b310-08ec883aaedd
BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773
```
Reference in New Issue View Git Blame Copy Permalink