BitLocker Recovery Key Not Found in Microsoft Entra ID — How to Fix
What to do when a BitLocker recovery key is not backed up to Microsoft Entra ID. Covers finding keys in alternative locations, forcing a backup, and preventing the issue.
Overview
You are staring at a BitLocker recovery screen asking for a 48-digit recovery key. You check Microsoft Entra ID — nothing. This is one of the most stressful situations in IT support, because without that key, the data on the drive is permanently inaccessible.
This guide covers where else to look, how to force a backup if the drive is still accessible, and how to prevent this from happening again.
Step 1: Confirm the Key ID
The BitLocker recovery screen shows a Key ID (the first 8 characters of the recovery key identifier). Write this down — you need it to search for the correct key.
Example: Key ID: 6A8B2F4C
Step 2: Search All Possible Locations
Microsoft Entra ID
- Go to the Microsoft Entra admin center (entra.microsoft.com) > Devices > search for the device name
- Click the device > BitLocker keys
- Match the Key ID to the recovery key
If the device does not appear or has no keys:
# Search via Microsoft Graph PowerShell
Connect-MgGraph -Scopes "BitLockerKey.Read.All"
Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq 'DEVICE-OBJECT-ID'" | Select-Object Id, CreatedDateTime, DeviceId
On-premises Active Directory
If the device was ever domain-joined:
# Search by computer name
$computer = Get-ADComputer -Identity "COMPUTER-NAME"
Get-ADObject -Filter {objectClass -eq 'msFVE-RecoveryInformation'} -SearchBase $computer.DistinguishedName -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword
Microsoft account (personal devices)
If the PC was set up with a personal Microsoft account, the key may be at:
https://account.microsoft.com/devices/recoverykey
The user must sign in with the Microsoft account that was active when BitLocker was enabled.
Printed or saved to a file
When BitLocker was first enabled, the user may have been prompted to save the key. Check:
- USB drives
- Printed documents
- Text files on other drives or cloud storage
- IT team documentation or ticketing systems
Intune
If the device is managed by Intune:
- Go to Microsoft Intune admin center (intune.microsoft.com) > Devices > All devices
- Search for the device > Recovery keys
Step 3: The Drive Is Still Accessible — Force a Backup Now
If the device is currently running (not at the recovery screen), back up the key immediately before it is needed:
Backup to Microsoft Entra ID
# Find the recovery key protector ID
$volume = Get-BitLockerVolume -MountPoint "C:"
$recoveryProtector = $volume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
# Display the recovery key (save this!)
$recoveryProtector.RecoveryPassword
# Backup to Microsoft Entra ID
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryProtector.KeyProtectorId
Backup to on-premises AD
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryProtector.KeyProtectorId
Save to a file (last resort)
manage-bde -protectors -get C: > "\\server\share\BitLockerKeys\$env:COMPUTERNAME.txt"
If you save recovery keys to a file, ensure the file is stored in a secure, access-controlled location. Recovery keys provide full access to the encrypted drive.
Step 4: No Key Found — Data Recovery Options
If no recovery key exists anywhere:
Option A: Suspend BitLocker (if Windows is running)
If the PC boots into Windows but is asking for the recovery key at pre-boot, try suspending BitLocker:
# If you can boot into Windows (e.g., via Safe Mode)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1
This is possible when the recovery prompt is caused by a BIOS update or TPM firmware change, not a lost key.
Option B: Check for a clear key
In some rare configurations, the drive may have a "clear key" protector (used during encryption setup):
manage-bde -protectors -get C:
Look for a protector of type "External Key" — if found, the key file (.BEK) may be on a USB drive.
Option C: Accept data loss
If no key can be found and the drive cannot be unlocked, the data is unrecoverable. The drive must be reformatted:
- Boot from a Windows installation USB
- Open a command prompt (Shift + F10)
- Run
diskpart>select disk 0>clean>create partition primary>format fs=ntfs quick - Reinstall Windows
Why Keys Go Missing
| Scenario | What Happened |
|---|---|
| Device not Microsoft Entra joined | BitLocker enabled before Microsoft Entra join — key had nowhere to back up |
| User-initiated encryption | User enabled BitLocker via Settings without IT knowledge — no backup policy in place |
| Microsoft Entra hybrid join timing | Device was domain-joined and BitLocker enabled before Microsoft Entra Connect synced the device |
| Intune policy gap | BitLocker policy deployed but "require backup before encryption" was not checked |
| VM or non-TPM device | BitLocker used a password protector that was never recorded |
Prevention
Intune policy settings
In your Intune BitLocker policy, ensure:
| Setting | Value |
|---|---|
| Store recovery information in Microsoft Entra ID | Required |
| Do not enable BitLocker until recovery information is stored | Yes |
| Recovery key rotation after use | Enabled |
Group Policy settings
Set "Do not enable BitLocker until recovery information is stored in AD DS" to Enabled under:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Monitoring
Run a monthly report to find devices with BitLocker enabled but no key in Microsoft Entra ID:
# Compare encrypted devices vs. devices with stored keys
$encryptedDevices = Get-MgDeviceManagementManagedDevice -Filter "isEncrypted eq true" | Select-Object DeviceName, Id
foreach ($device in $encryptedDevices) {
$keys = Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$($device.Id)'" -ErrorAction SilentlyContinue
if (-not $keys) {
Write-Warning "NO KEY: $($device.DeviceName)"
}
}
Treat a missing recovery key as a P2 incident. The key is only needed when something goes wrong (BIOS update, hardware failure, OS corruption), and by then it is too late to create one.
Related Articles
Was this article helpful?