Why are there multiple recovery keys?

Cataster 641 Reputation points
2022-06-20T20:35:50.3+00:00

We had a user device showing as incompliant in Endpoint manager due to secure boot un-enabled. In order to enable it, we converted the device from MBR to GPT, so we could switch it from Legacy BIOS to UEFI and then enable Secure Boot. As part of this process we had to turn BitLocker off and then back on after we completed this.

For some reason though, there are a ton of recovery keys generating, as shown in endpoint manager. I compared to other devices, and noted that other devices only have 1 recovery key and also something interesting I noted for Drive Type is that at some point it was generating for "Operating System Drive" multiple keys but now it switched the drive type to "Fixed data drive"

213077-recovery-keys.png

Why is it doing this? The device remains incompliant and cant find much information about this issue. I ran into this post here/answer but I dont think it applies since we dont have windows 10 v1809, instead windows 10 v20H2

Device info:

Edition Windows 10 Business
Version 20H2
Installed on ‎7/‎6/‎2020
OS build 19042.1706
Experience Windows Feature Experience Pack 120.2212.4170.0
windows-10
bitlocker

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,609 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,753 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,323 questions
0 comments
Accepted answer
  1. Crystal-MSFT 42,956 Reputation points Microsoft Vendor
    2022-06-21T02:53:48.517+00:00

    @Cataster , To enable Bitlocker, we can turn on it on Operating System Drive or Fixed data drive. It seems we enable on both so we get the recovery key on both.
    https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq

    For multiple recovery key, based on my research, it may caused that the bitlocker process is interrupted in between either due to machine level issues like with TPM, or with the end user actions, the process starts again causing the service to generate multiple keys. If you have more question, you can open case with AAD or windows support to know it more.
    https://learn.microsoft.com/en-us/answers/questions/504127/why-bitlocker-recovery-keys-generated-multiple-tim.html

    In your description, I notice the device shows not compliant after we enable secure boot. Could you check if the user check in time has updated. If not, please go to the affected device, install company portal, open it , tap Device, select the device and under Device Status, click "check access" to see if the compliant status will be changed.

    213203-image.png

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest