- Recommended security settings and new group policies for Microsoft Edge (from 107 on) - Fri, Jan 27 2023
- Save and access the BitLocker recovery key in the Microsoft account - Tue, Jan 24 2023
- Reopen apps after Windows startup - Thu, Jan 19 2023
Windows may require you to enter a BitLocker recovery key for a number of reasons. This is the case, for example, after changes to the firmware/BIOS settings, the NTFS partition table, or the hardware.
Solution for individual or workgroup PCs
For computers that are members of a domain, admins prefer to store the key in Active Directory. This can be automated via group policies and protects the key from unauthorized access. With a hybrid AD join, the recovery key can be stored in Azure AD.
A cloud option is also available for workgroup PCs where the Microsoft account is used. Compared to conventional alternatives (printout or file on a USB stick), this variant is more secure, and the key can also be read from practically anywhere.
Select the Microsoft account as the storage location
If you activate BitLocker via the Control Panel, you have to specify where you want to store the key in the wizard's first dialog box. One of the options here is Save to your Microsoft account.
If you select this but are logged on to the computer with a local account rather than a Microsoft account, the process aborts with an error message.
In this situation, however, it is not necessary to switch to a Microsoft account. Rather, it is sufficient to (temporarily) link the local account with the online account. To do so, add it in the Settings app under Accounts > Email and accounts.
If you have already chosen another option for saving the recovery key when activating BitLocker—for example, a file on a removable drive—you can still store the key in the Microsoft account afterward.
To do so, navigate to System and Security > BitLocker Drive Encryption in the Control Panel. There, click the Back up your recovery key link. This opens the same dialog box as in the wizard for activating BitLocker, where you can select the Microsoft account as the target.
Read the BitLocker key from the Microsoft account
If you need the recovery key, you can log on to your Microsoft account on any device and read all the keys for the computers that you have stored there.
To do so, enter the URL https://account.microsoft.com/devices/recoverykey into the browser. After authentication, a list with the keys appears. You can also delete them from here, if necessary.
For computers that are not members of an AD domain or Azure AD, the option to save the BitLocker key in the Microsoft account offers a convenient and secure alternative to printing it out or storing it in a file.
Subscribe to 4sysops newsletter!
The process is extremely simple. A hurdle occurs when you are logged on to the computer with a local account. In this case, linking to a Microsoft account will help.