Why bitlocker recovery keys generated multiple times for some users/devices

Wahyu Triyantoro 21 Reputation points


We have Hybrid azure AD configured and Intues setup for bitlocker, everything seems to be working as it should be however, some Devices (PC/Laptops) have multiple recovery keys stored in its profile. but some devices has only a key

Can you tell me what am I done wrong


Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,906 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,767 questions
0 comments No comments
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,236 Reputation points Microsoft Employee

    @Wahyu Triyantoro When the bitlocker process is interrupted in between either due to machine level issues like with TPM, or with the end user actions, the process starts again causing the service to generate multiple keys.

    A valid key always be found by matching the Recovery ID in those scenarios. If you want to know in deep a support case might be a good way to investigate to understand what could have went wrong. Needs debug logs level analysis.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. MTG 1,196 Reputation points

    Recovery keys are created per partition. Multiple partitions ->multiple keys.
    If you decrypt and re-encrypt a drive, a new key is generated as well.

    0 comments No comments