Bitlocker has encrypted devices without a recovery key

Question

Hi,
I have an issue where a number of devices on the network have encrypted without a recovery key (which I didn't think was possible), most of the devices have correctly stored the key in AD and Azure. A GPO exists to force a 48 digit recovery key and store in AD.
so a couple of questions:

1. how can this have happened?
2. how do I create a new recovery key on the devices missing one?
   I'm stumped at the moment.

Answer 1

Hi,

Did those computers joined domain before encrypted?
We need to joined domain before encrypted, if not, additional steps is necessary to backup recovery key to AD manually. Please refer to: What if BitLocker is enabled on a computer before the computer has joined the domain?

Does the issue occur after encrypted?
Are you using SCCM or MBAM to manage BitLocker?

I also would like to confirm if those issue occurred devices located in a same group with other works well device in AD.
Please run "gpresult /h gp.html" as administrator, it will generated a report in C drive named as gp.html, to check if those issue occurred devices have applied BitLocker group policy.

If your domain controller is unreachable at the time when the BitLocker setup wizard is run, the backup will fail.
If you encounter such issue, we could use the following backup script as administrator to backup recovery key again. (Source link)

$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }

Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID

Bests,

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

Thanks for your response, all the devices are in the same OU, domain joined and built using the same SCCM task sequence.

There is no recovery key to backup however, when I run the powershell scripts to backup to AD or Azure I receive an error stating the same, no recovery key exists. This is what baffles me to be honest, how the device can encrypt with no recovery key.

Regards

Answer 3

Hi,

Please try to check if it is available to backup recovery key manually.

Manually Backup BitLocker Recovery Key to AD

Please also check if any error message recorded in Event Viewer\Windows logs\system.

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Bests,

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

Hi,

The second command returns an error that no key protectors exist for the ID.

Thanks

Answer 5

I believe this issue is persist to some user of Microsoft BitLocker. This is really disappointed issue happened in Microsoft. Some of our VIP device is encrypted without key stored. If anyone has any findings, please share.