BitLocker Keys
View and manage BitLocker recovery keys for Windows devices. Recovery keys are escrowed to Azure AD when BitLocker is configured through Intune.
Recovery Key Types
Recovery Password
A 48-digit numerical password for BitLocker recovery. Generated automatically when BitLocker is enabled. Stored in Azure AD with the device object.
Recovery Key
A 256-bit key stored on USB drive. Alternative to recovery password.
Viewing Recovery Keys
Admin Portal
- Navigate to device details
- Select Security section
- View the BitLocker recovery key
- Copy for providing to user
Azure AD Portal
Navigate to device object in Azure AD, select BitLocker keys.
Self-Service
Users retrieve their own keys at myaccount.microsoft.com.
Key Rotation
- Automatic rotation after key is used for recovery
- Manual rotation triggered by admin
- New key generated and escrowed to Azure AD
- Previous key retained briefly for transition
When Recovery Keys Are Needed
- BIOS/UEFI firmware updates
- Hardware changes (motherboard, TPM)
- Too many incorrect PIN attempts
- Secure boot configuration changes
- Forgotten BitLocker PIN
- Moving the drive to a different computer
Key Escrow Status
| Status | Description |
|---|---|
| Escrowed | Key stored in Azure AD |
| Pending | Key generation in progress |
| Failed | Key escrow failed |
| Not Available | BitLocker not enabled |
Audit Trail
All recovery key access is logged: who accessed, when, which device, and access source.
Best Practices
- Always require key escrow before enabling encryption
- Rotate keys after every recovery event
- Monitor for devices with missing or failed escrow
- Restrict key access to authorized personnel
- Enable self-service to reduce helpdesk calls
- Audit key access logs regularly
API Reference
GET /api/devices/security/bitlocker/keys— List escrowed keysGET /api/devices/security/bitlocker/keys/:deviceId— Get device keysPOST /api/devices/security/bitlocker/keys/:deviceId/rotate— Rotate keyGET /api/devices/security/bitlocker/keys/audit— Get audit log
Last updated on