Retrieving BitLocker Recovery Keys from Intune and Entra ID
Overview:
This article provides step-by-step instructions on how to retrieve BitLocker recovery keys for managed devices using Microsoft Intune and Entra ID (formerly Azure AD). These keys are essential for unlocking encrypted drives in case of device failures or password issues.
Retrieve BitLocker Keys from Microsoft Intune
Prerequisites:
Steps:
-
Sign in to Intune
-
Locate the Device
Navigate to Devices > All Devices.
Use the search bar to find the affected device by name or serial number.
Click on the device name to open its details page.
-
Retrieve the BitLocker Key
Under Monitor, select Recovery keys.
Locate the BitLocker recovery key and copy it.
Provide the key to the end user to unlock their drive.
Retrieve BitLocker Keys from Entra ID (Azure AD)
Prerequisites:
Global Administrator, Help Desk Administrator, or Security Administrator role in Entra ID.
The device must be hybrid-joined or Entra ID-joined.
Steps:
-
Sign in to Entra ID
-
Locate the Device
Navigate to Identity > Devices > All Devices or Identity > Devices > Bitlocker Keys
Search for the affected device by name / serial number or the BitLocker key ID (32-digit key ID on the bitlocker key request screen)
Click on the device name to open its details page
-
Retrieve the BitLocker Key
Under Device Details, click on Show Recovery Keys.
Locate the BitLocker recovery key and copy it.
Provide the key to the end user to unlock their drive.
Troubleshooting
If the device does not appear in Intune or Entra ID, verify that it is correctly enrolled.
If the BitLocker key is missing, check the "Live - Backup BitLocker Keys to AAD" Intune script to confirm that forces key backup to intune and confirm that it is applied to device.