Share via

BitLocker Recovery Key Not Available for Corporate Device

Gonzalo Arriagada 0 Reputation points
2026-03-11T18:19:11.65+00:00

We have a Lenovo ThinkPad laptop that is currently locked by BitLocker recovery after a disruption of as the lapton turn off with a usb-c charge of iphone and had an attention problem to start with the code "0183: Bad CRC of Security Settings in EFI variable".

So, the Techs Services of Lenovo change it's motherboard to overcome the issue.

But now, but now during startup, the system requests the BitLocker Recovery Key and shows the following Recovery Key ID:

PII

The message indicates that Secure Boot had been disabled, which triggered BitLocker protection. We have already:

  • Re-enabled Secure Boot in the BIOS

Verified that the TPM 2.0 security chip is enabled

Confirmed that the device is functioning normally at the firmware level

However, the system still requires the recovery key to boot.

The device was originally configured using a corporate Microsoft 365 account, but when checking:

Microsoft Entra ID (Devices)

Microsoft Account recovery key portal

User device list

We cannot find the BitLocker recovery key associated with this device.

Additionally, the device appears in Entra as:

Join type: Microsoft Entra Registered

not Azure AD Joined.

We would like assistance determining:

Whether the BitLocker recovery key could be stored in another Microsoft location linked to the corporate account.

If Microsoft can identify where the recovery key might have been stored based on the Recovery Key ID.

Whether there is any method to recover the key through Microsoft services.

The data on the device is important, so we are trying to avoid formatting the drive.

Please help

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-11T18:19:32.8066667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Microsoft Support and Microsoft Entra ID cannot retrieve, regenerate, or locate a BitLocker recovery key if it was never backed up to a supported location. The recovery key ID alone is not sufficient for Microsoft to recover or look up the key.

    From the available information:

    1. BitLocker recovery keys can only be stored in specific locations Supported locations include:
      • A Microsoft account (for consumer devices)
      • Microsoft Entra ID (for Entra-joined devices)
      • Active Directory Domain Services (AD DS) for domain-joined devices
      • A printed copy
      • A text file on a USB flash drive or other removable media
      • A helpdesk/IT-managed repository if your organization implemented one
      For corporate devices, the recommended approach is to save keys to Microsoft Entra ID or AD DS so administrators or helpdesk can retrieve them.
    2. Entra-registered vs Entra-joined The device is shown as Microsoft Entra Registered, not Azure AD (Microsoft Entra) Joined. Entra registration alone does not guarantee that BitLocker keys are backed up to Entra ID. If the device was encrypted as a “personal” device that only registered to Entra (for example via Office apps or M365 sign-in), the key may never have been escrowed to Entra ID or AD DS.
    3. Where to check for the key For a corporate scenario, the following locations must be checked by the organization’s IT/admins:
      • Microsoft Entra ID portal: Device → View BitLocker Keys (if keys were escrowed there)
      • On-premises AD DS (if the device was domain-joined and Group Policy was configured to back up keys)
      • Any internal IT asset management or key escrow system used by the organization
      • Printed copies or exported text files that may have been created when BitLocker was enabled
      If the device was ever signed in with a work or school account and the organization configured key backup, the recovery key may be accessible via the work/school account using the documented Entra self-service path.
    4. What Microsoft can do with the Recovery Key ID The documentation explicitly states that Microsoft Support does not have the ability to retrieve, provide, or recreate a lost BitLocker recovery key. The Recovery Key ID is only used to match the correct key when there are multiple keys; it is not a lookup handle that Microsoft can use to find a key in Microsoft’s systems. Therefore:
      • Microsoft cannot use the Recovery Key ID to locate the key in any Microsoft backend.
      • Only locations where the key was actually backed up (Entra ID, AD DS, Microsoft account, printout, file, etc.) can be used to retrieve it.
    5. If the key cannot be found If the organization’s IT department confirms that:
      • No key is stored in Microsoft Entra ID for this device
      • No key is stored in AD DS
      • No printed or file-based copy exists
      then the drive cannot be unlocked without the recovery key. The only remaining option is to reset or reimage the device using Windows recovery options, which will remove all data on the drive. The documentation is explicit: if the BitLocker recovery key cannot be found and the condition that triggered recovery cannot be undone, the device must be reset, and all files will be lost.

    Summary for this scenario:

    • There is no additional hidden Microsoft location where the key might be stored beyond the documented options.
    • Microsoft cannot identify or recover the key based on the Recovery Key ID.
    • Recovery is only possible if the organization or user can locate a backed-up copy of the key; otherwise, the drive must be reset/reformatted, and data will be lost.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.