- Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
Windows may require you to enter a BitLocker recovery key for a number of reasons. This is the case, for example, after changes to the firmware/BIOS settings, the NTFS partition table, or the hardware.
Solution for individual or workgroup PCs
For computers that are members of a domain, admins prefer to store the key in Active Directory. This can be automated via group policies and protects the key from unauthorized access. With a hybrid AD join, the recovery key can be stored in Azure AD.
A cloud option is also available for workgroup PCs where the Microsoft account is used. Compared to conventional alternatives (printout or file on a USB stick), this variant is more secure, and the key can also be read from practically anywhere.
Select the Microsoft account as the storage location
If you activate BitLocker via the Control Panel, you have to specify where you want to store the key in the wizard's first dialog box. One of the options here is Save to your Microsoft account.
Selecting the storage options for the BitLocker recovery key
If you select this but are logged on to the computer with a local account rather than a Microsoft account, the process aborts with an error message.
Saving the key to the Microsoft account requires that you are logged on to the computer with it
In this situation, however, it is not necessary to switch to a Microsoft account. Rather, it is sufficient to (temporarily) link the local account with the online account. To do so, add it in the Settings app under Accounts > Email and accounts.
Link a local account to a Microsoft account
If you have already chosen another option for saving the recovery key when activating BitLocker—for example, a file on a removable drive—you can still store the key in the Microsoft account afterward.
To do so, navigate to System and Security > BitLocker Drive Encryption in the Control Panel. There, click the Back up your recovery key link. This opens the same dialog box as in the wizard for activating BitLocker, where you can select the Microsoft account as the target.
Save the BitLocker key to the Microsoft account retrospectively
Read the BitLocker key from the Microsoft account
If you need the recovery key, you can log on to your Microsoft account on any device and read all the keys for the computers that you have stored there.
To do so, enter the URL https://account.microsoft.com/devices/recoverykey into the browser. After authentication, a list with the keys appears. You can also delete them from here, if necessary.
Extract the BitLocker recovery key from the Microsoft account
Summary
For computers that are not members of an AD domain or Azure AD, the option to save the BitLocker key in the Microsoft account offers a convenient and secure alternative to printing it out or storing it in a file.
Subscribe to 4sysops newsletter!
The process is extremely simple. A hurdle occurs when you are logged on to the computer with a local account. In this case, linking to a Microsoft account will help.
