Microsoft offers several options for storing the recovery key when activating BitLocker. Traditionally, you could print it out or save it to a file. The Microsoft account has also been available for this purpose for some time now. From there, it can be read on almost any device from anywhere.

Windows may require you to enter a BitLocker recovery key for a number of reasons. This is the case, for example, after changes to the firmware/BIOS settings, the NTFS partition table, or the hardware.

Solution for individual or workgroup PCs

For computers that are members of a domain, admins prefer to store the key in Active Directory. This can be automated via group policies and protects the key from unauthorized access. With a hybrid AD join, the recovery key can be stored in Azure AD.

A cloud option is also available for workgroup PCs where the Microsoft account is used. Compared to conventional alternatives (printout or file on a USB stick), this variant is more secure, and the key can also be read from practically anywhere.

Select the Microsoft account as the storage location

If you activate BitLocker via the Control Panel, you have to specify where you want to store the key in the wizard's first dialog box. One of the options here is Save to your Microsoft account.

Selecting the storage options for the BitLocker recovery key

Selecting the storage options for the BitLocker recovery key

If you select this but are logged on to the computer with a local account rather than a Microsoft account, the process aborts with an error message.

Saving the key to the Microsoft account requires that you are logged on to the computer with it

Saving the key to the Microsoft account requires that you are logged on to the computer with it

In this situation, however, it is not necessary to switch to a Microsoft account. Rather, it is sufficient to (temporarily) link the local account with the online account. To do so, add it in the Settings app under Accounts > Email and accounts.

Link a local account to a Microsoft account

Link a local account to a Microsoft account

If you have already chosen another option for saving the recovery key when activating BitLocker—for example, a file on a removable drive—you can still store the key in the Microsoft account afterward.

To do so, navigate to System and Security > BitLocker Drive Encryption in the Control Panel. There, click the Back up your recovery key link. This opens the same dialog box as in the wizard for activating BitLocker, where you can select the Microsoft account as the target.

Save the BitLocker key to the Microsoft account retrospectively

Save the BitLocker key to the Microsoft account retrospectively

Read the BitLocker key from the Microsoft account

If you need the recovery key, you can log on to your Microsoft account on any device and read all the keys for the computers that you have stored there.

To do so, enter the URL https://account.microsoft.com/devices/recoverykey into the browser. After authentication, a list with the keys appears. You can also delete them from here, if necessary.

Extract the BitLocker recovery key from the Microsoft account

Extract the BitLocker recovery key from the Microsoft account

Summary

For computers that are not members of an AD domain or Azure AD, the option to save the BitLocker key in the Microsoft account offers a convenient and secure alternative to printing it out or storing it in a file.

Subscribe to 4sysops newsletter!

The process is extremely simple. A hurdle occurs when you are logged on to the computer with a local account. In this case, linking to a Microsoft account will help.

avatar
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account