How to enable and recover BitLocker recovery key

In this post we will see how to enable BitLocker on Windows device and to save the BitLocker recovery key on Microsoft account. Though we have other options also available to save the recovery key such as printing it, creating pdf file, saving it into a txt file which can be used at later stage. However, using Microsoft account gives the flexibility of storing all your recovery password in a centralised place for all the devices you have.

Overview

BitLocker Drive Encryption is a kind of product for your devices which encrypts the device at hardware layer. This is applicable for Windows 10, Windows 11 and Windows Server 2016 and above.

BitLocker requires Trusted Platform Module (TPM) version 1.2 or later (though not compulsory) which is a hardware component and nowadays all computer manufacturers provides it. BitLocker can be used without TPM as well which requires a specific settings to be implemented if you wanted to use. However using TPM with Secure Boot Enabled setting in BIOS gives the most efficient way of encrypting and saving the information in TPM Module.

Encrypt Drive – Save recovery key to Microsoft Account

Let’s login to a device. I have a workstation where I have logged in with Microsoft Account. I have 2 disk’s C drive and D drive. C with Operating System and D with Data.

Right click c drive and select Turn on BitLocker.

BitLocker Drive Encryption page will open which will ask you to back up your recovery key. We have 3 options:

Save to your Microsoft Account
Save to a file
Print the recovery key

All 3 options can be used to save the information, but to save it on Microsoft account, lets go with 1^st option.

This will initiate the encryption process of your drive while Saving Recovery Key to your Microsoft account.

Once done, it will return to the same option with all 3 options present, click Next.

On Choose how much of your drive to encrypt page, select Encrypt used disk space only as it is much faster. You can select encrypting entire drive as well which could take more time depending upon disk size and data. Click Next.

On Choose which encryption mode to use, select New encryption mode which provides the latest encryption technology ie. XTS-AES which requires Windows 10 and above device. For older device Compatible mode can also be selected.

On Ready to encrypt this drive page, click on Start encrypting.

Allow some to encrypt the disk. You may close the window, and it will continue in background.

Monitor the progress

You can monitor the progress through GUI displayed. But if you have closed the window. This can be checked through BitLocker Utility manage-bde. Run following in command prompt with administrative rights:

Manage-bde -status c:

Once the encryption process is completed, run the command again and now we see the status:

Conversion Status:  Used Space Only Encrypted
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked

Encrypt Data Drive

Same way we can encrypt D drive, this time we will get one different option ie. Automatically unlock this drive on this computer.

As this is Data drive (not containing system files / OS files), we have option to automatically unlock or if not selected, every time we have to provide recovery password to unlock it.

On How do you want to back up your recovery key page, we have 1 more option available ie. Save to a USB flash drive as this is a data drive not containing system files.

Once Save to your Microsoft account is selected, the recovery key will be saved again on Microsoft account.

For Data drive you can’t use Save to a file option with local drive selected as all drives are encrypted. You must need to save it on USB flash drive or else you will get error message This location can’t be used, Your recovery key can’t be saved to an encrypted drive. Choose a different location.

Verify Recovery Password details on Microsoft Account

Login to Microsoft Account which will display list of all devices you have.

Click on Info & Devices.

Under Bitlocker data protection click Manage recovery keys and then click on Show other available keys to get list of all recovery keys you have.

We can see recovery key information of all devices we have. For the device which I encrypted, I can see there are 2 rows containing Key ID and 48 digit Recovery Key which is also called Recovery Password.

Drive with OSV is the Primary Drive containing OS, while FDV is the secondary drive.

Recovery key is the information someone needs unlock the drive to access it.

Recover the drive using Recovery Password

Let’s assume disk is stolen or some hardware changes have been made. In both scenarios, if we switch on the system, it won’t directly boot into full OS but rather show you the message BitLocker recovery prompt with message Enter the recovery key for this drive.

Let’s have a close look into Recovery Key ID, initial 8 digits is all we want to find on Microsoft page > BitLocker recovery keys

For Key ID 634666FA, corresponding Recovery Key  is 319957-668822-461725-613492-393316-131912-136686-211288. Provide this info to unlock the drive and boot the system.

BitLocker Drive Encryption Tools

Manage-bde.exe is the inbuilt command-line tool BitLocker Drive Encryption. There are BitLocker cmdlets for WindowsPowerShell as well. This comes very handy to perform few tasks.

manage-bde generate recovery key

Run the following command to see your recovery key / recovery password. The 2^nd command is to save this into a text file

manage-bde -protectors c: -get

manage-bde -protectors c: -get >> recoverykey.txt

To generate new recovery key, add the protector command

manage-bde -protectors -add d: -RecoveryPassword

How to add TPM PIN at startup

If you want to secure your device with PIN to be entered while booting it. You need to have Local Policy or Group Policy set for this.

Open gpedit.msc to open Local Group Policy Editor, and navigate to Policy Path : Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

Enable the following settings:

Require additional authentication at startup, with Configure TPM startup PIN set to Allow startup PIN with TPM
You may also use (optional) – Allow enhanced PINs for startup which allows you to enter letters, symbols, numbers and spaces.
Configure minimum PIN length for startup : enabled and provide minimum characters to use.

If above mentioned policy is not set to, you will get error.

Error: An error occurred (code 0x80310060): Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.

Run the following command with parameter -TPMANDPIN

manage-bde -protectors -add c: -tpmandpin

To suspend and resume the BitLocker temporarily (this process doesn’t decrypt the drive but suspends it during 1 restart only, BitLocker protection will resume after 1^st restart automatically)

Suspend-bitlocker command: Manage-bde -protectors -disable c:
Resume-bitlocker command : Manage-bde -protectors -enable c:
Suspend command for infinite restart: manage-bde -protectors -disable c: -rc 0
When -rc 0 is used which means rebootcount specifying to 0, BitLocker protection won’t resume even after multiple restarts.

Commands to autounlock the drive

When the additional drive has autounlock disabled it will show locked signed and when we double click,  it will prompt to enter 48-digit recovery key to unlock this drive. And every time we have to specify the recovery password. This can be managed using the commands.

Command line utility:

unlock-bitlocker command : manage-bde -autounlock -enable d:
disable unlock-bitlocker command: manage-bde -autounlock -disable d:

Equivalent PowerShell cmdlets for autounlock the drive:

Enable-BitLockerAutoUnlock -MountPoint d:
Disable-BitLockerAutoUnlock -MountPoint d:

These commands performs the same functionality equivalent to right clicking a drive and selecting Manage BitLocker and then selecting Turn on auto-unlock