bitlocker key for a device

Question

Hi, I have an issuer, my laptop got repaired and now it's blocked, it's requesting a bitlocker key that it's not on my ADMIN CENTER at the devices, it's nothing there.

How can a I get it?

Answer 1

Hi Victor,

BitLocker recovery keys are never generated on the fly; they must have been saved at the time encryption was enabled. If the key is not showing in your Microsoft Entra (Azure AD) Admin Center under the device, it means it was not backed up there. The only valid ways to retrieve it are: checking if the recovery key was printed or saved to a file during setup, checking if it was stored in Active Directory (if the machine was domain-joined), or checking if it was saved to a Microsoft account linked to the device at https://account.microsoft.com/devices. If none of those locations contain the key, there is no supported method to bypass BitLocker.

At this point, you should confirm whether the laptop was domain-joined or Azure AD-joined before repair, and whether the repair process may have replaced the motherboard or TPM, which can invalidate the old key. If the recovery key cannot be located in any of the supported storage locations, the only option is to reset the device and reinstall Windows. This is by design for security, and Microsoft does not provide any workaround to unlock a BitLocker-protected drive without the recovery key.

Best Regards.

Answer 2

BitLocker keys are not stored in the Microsoft 365 admin center by default. If the device is asking for a BitLocker recovery key after repair and nothing appears under Devices in the admin center, the key must be found in one of the locations where it could have been backed up when BitLocker was first enabled.

Use these steps in order:

1. Note the Recovery Key ID
   • On the BitLocker recovery screen, write down the first 8 digits of the Recovery key ID. This is needed to match the correct key if you find multiple entries.
2. Check the user’s Microsoft account backup
   • From another device, go to https://aka.ms/myrecoverykey.
   • Sign in with the Microsoft account that might have been used on the laptop.
   • Look for an entry whose Key ID matches the first 8 digits shown on the BitLocker screen, then use that 48‑digit key to unlock the device.
   • If someone else originally set up the device or turned on BitLocker, the key may be in that person’s Microsoft account.
3. Check the work or school (Microsoft Entra ID) account
   • If the device was ever joined or signed in with a work/school account:
     1. From another device, go to https://aka.ms/aadrecoverykey.
     2. Sign in with the work or school account.
     3. Go to Devices, expand the affected device, and select View BitLocker Keys.
     4. Match the Key ID with the one on the BitLocker screen and use the corresponding 48‑digit key.
   • If the key is not visible there and the device is organization-managed, contact the organization’s IT/helpdesk; they may have the key in Microsoft Entra ID or AD DS.
4. Check local backup locations
   • Look for:
     • A printed copy of the BitLocker recovery key among important device papers.
     • A USB flash drive that may contain a .txt file with the recovery key.
5. If the key cannot be found
   • If none of the above locations contain a matching key, the recovery key cannot be recreated or retrieved by Microsoft or anyone else.
   • The only remaining option is to reset or clean‑install Windows using the available recovery options. This will remove all files on the encrypted drive.

If the device is organization-managed and you do not see the key in your admin views, escalate to the appropriate IT/tenant admins to verify whether keys were ever escrowed to Microsoft Entra ID or on-premises AD. If no escrow exists and no user backup can be found, data on the drive cannot be recovered.

---

References:

• Find your BitLocker recovery key
• BitLocker overview
• BitLocker recovery process
• Windows devices for home users, businesses, and schools with Microsoft-managed updates