Share via

Why are there multiple recovery keys?

Cataster 661 Reputation points
2022-06-20T20:35:50.3+00:00

We had a user device showing as incompliant in Endpoint manager due to secure boot un-enabled. In order to enable it, we converted the device from MBR to GPT, so we could switch it from Legacy BIOS to UEFI and then enable Secure Boot. As part of this process we had to turn BitLocker off and then back on after we completed this.

For some reason though, there are a ton of recovery keys generating, as shown in endpoint manager. I compared to other devices, and noted that other devices only have 1 recovery key and also something interesting I noted for Drive Type is that at some point it was generating for "Operating System Drive" multiple keys but now it switched the drive type to "Fixed data drive"

213077-recovery-keys.png

Why is it doing this? The device remains incompliant and cant find much information about this issue. I ran into this post here/answer but I dont think it applies since we dont have windows 10 v1809, instead windows 10 v20H2

Device info:

Edition Windows 10 Business
Version 20H2
Installed on ‎7/‎6/‎2020
OS build 19042.1706
Experience Windows Feature Experience Pack 120.2212.4170.0
windows-10
bitlocker

Windows for business Windows Client for IT Pros Devices and deployment Configure application groups
Windows for business Windows Client for IT Pros User experience Other
Microsoft Security Intune Other
0 comments
Accepted answer
  1. Crystal-MSFT 53,981 Reputation points Microsoft External Staff
    2022-06-21T02:53:48.517+00:00

    @Cataster , To enable Bitlocker, we can turn on it on Operating System Drive or Fixed data drive. It seems we enable on both so we get the recovery key on both.
    https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq

    For multiple recovery key, based on my research, it may caused that the bitlocker process is interrupted in between either due to machine level issues like with TPM, or with the end user actions, the process starts again causing the service to generate multiple keys. If you have more question, you can open case with AAD or windows support to know it more.
    https://learn.microsoft.com/en-us/answers/questions/504127/why-bitlocker-recovery-keys-generated-multiple-tim.html

    In your description, I notice the device shows not compliant after we enable secure boot. Could you check if the user check in time has updated. If not, please go to the affected device, install company portal, open it , tap Device, select the device and under Device Status, click "check access" to see if the compliant status will be changed.

    213203-image.png

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.