How can I retrieve my BitLocker Recovery key ?

Here’s a very quick post, if you are not using MBAM and don’t have access to your Active Directory and want to recover your BitLocker key for whatever reason you can quickly do as follows within Windows:-

Open an Administrative Command Prompt and type the following

manage-bde -protectors c: -get

replace the drive letter C: with whatever drive is encrypted.

you’ll see output something like this

BitLocker Drive Encryption: Configuration Tool version 6.2.9200
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

Volume C: [OSDisk]
All Key Protectors

TPM:      ID: {37CE71B7-8FE4-4CA9-9637-42516F599C02}

Numerical Password:    ID: {31514A2F-147C-478C-B6A2-618CD6F66653}

Password:
249238-002442-716694-646503-010879-234894-155485-185372

To save your recovery key to a network share use the following script (thanks Klaas)

manage-bde -protectors -add c: -recoverykey c:

And below is the script… modify to suit your network share names…

net use Driverletter Networkshare /user:domain\username password
md driveletter\bitlockerkeys\%computername%
attrib -h -s c:\*.bek
move c:\*.bek driveletter\bitlockerkeys\%computername%

job done

 

Note: If you have simply locked yourself out of your laptop and don’t know what the BitLocker recovery key is then you can retrieve it using your Microsoft Hotmail account at the following URL http://go.microsoft.com/fwlink/p/?LinkId=237614

cheers

niall

 

This entry was posted in BitLocker. Bookmark the permalink.

44 Responses to How can I retrieve my BitLocker Recovery key ?

  1. noha h.s says:

    niall, what if you get “ERROR: an attempt to access a required source was denied.” what’s the next step??

  2. saifi says:

    hi .me saifi from pakistan.i changed my bitlocker pasword. And forgog.i have recovery key but inside the same drive that is locked.what can i do.i also remember previous passwords.

  3. Eambo says:

    Hi Niall,

    Sorry if this is the wrong place to put queries, but figured it fitted with this article.

    We’ve got a deployment via SCCM/Task Sequence which enables bitlocker. In 90+% of machines, there’s absolutely no problem.

    We’re finding a small subset of machines, however, are not getting bitlocker keys. They have a TPM key, however no numerical password – and therefore no method of recovery. Going to manage bitlocker shows that there’s no keys for it to manage.

    Our fix is simply to enable it manually, but being absolutely intrigued I’m trying to track down a root cause. Any suggestions on logs or places to look that may show why some machines are fine and some aren’t?

    Thanks!

    • ncbrady says:

      how are you enabling bitlocker ? using the built in step or via a script ? do you have any logs from one of the machines that has failed ? are you continuing on error on your enable bitlocker step ? I wouldn’t do that because you could end up with BitLocker failing …

  4. avdesignsthetomorrow says:

    Hi, I am Ashish
    I hv got a serious problem with my pendrive

    i got a bitlocker encryption on my pendrive, then i tried to decrypt it.
    but while decryption, i unplugged my pendrive out from USB port. (The decryption was not complete at that time).
    After that, i plugged it back, then it asked me for a password.
    i entered the password, but it displayed that “the entered password is incorrect”.
    The i chose option and entered the 48 digit recovery key, that i was having in an another drive.

    but it displayed that “the Recovery Key is incorrect.”
    i matched the Key Identification number also, it was same. But then also it displayed that “the recovery key is incorrect.”

    then i used the method given by you ABOVE !,
    the ADMINISTRATIVE COMMAND PROMPT says —
    ” AN ATTEMPT TO ACCESS THEA REQUIRED RESOURCE WAS DENIED.
    CHECK THAT YOU HAVE ADMINISTRATIVE RIGHTS ON THE COMPUTER. “.

    Now what to do????

    Please help me out for this situation, i will be thankful to you…
    i just want my pendrive decrypted, with or without data saved in it….. Huh
    must reply ..

    waiting 4 ur reply !!!

  5. faris says:

    when you want to open command prompt Right click on that and open as administrater hope your adminitrative Rights problem will be solved

  6. BenP says:

    Hi Niall,
    I access bitlocker with my Navy Issued CAC card, I had to get a new card because the old one expired now bitlocker does see my new CAC card. I have been looking for the printed version of my recovery key but can’t find it. Is there a way to get bitlocker to reconize my new CAC card.

    Thank you for your assistance..
    V/r
    Ben

    • ncbrady says:

      hi Ben,
      i’ve no idea what a CAC card is, but you should check with your network administrator to see if the BitLocker key is stored in Active Directory, if it is then it’s easy to find.

  7. BenP says:

    Thanks for the quick reply. A CAC Card is actually just a smart card. For some reason the Gov’t calls them CAC Cards to get us all confused. Anyway the certificates on my smart card expired and I had to get a new one and now BitLocker does not reconize/see my smart card.

  8. ncbrady says:

    have you asked your AD administrator yet if they back up your smart card certificates to AD ? I would check there first, i assume you havn’t backed up the old certs yourself ? – see here for details http://technet.microsoft.com/en-us/library/dd875530%28v=ws.10%29.aspx

  9. helgesverre says:

    Actually had the same problem myself, and i found a solution to it, maybe you will find it interesting, you can find it on my blog.

    Windows 7 BitLocker

  10. Kietyo says:

    Hey ncbrady,
    I get this:

    What do I do now?

  11. ncbrady says:

    back up the recovery key file (.bek) as you may need it later to recover the drive – see http://technet.microsoft.com/en-us/library/ee523219%28v=ws.10%29.aspx

  12. abaker0326 says:

    Hi there I recently re-downloaded windows 7 on my computer and didn’t even realize that doing this would lock me out of my external hard drive with bitlocker. Is there anyway to unlock it now. The only thing I have is the “full bit-locker recovery key identification” but I don’t have the actual recovery key. Thanks for your time.

  13. chrisprice says:

    Thanks for this. I had to do a system image recovery from a BitLocker To Go drive. I had the drive password, but Windows 8.1 RE is not smart enough to take it – it needs the recovery key.

    Using this helped me pull it using another machine, then I could proceed with a restore.

  14. rezazy says:

    Hi dear

    I have windows 8. I make a password on my two drive with bitlocker and save the keys on my microsoft account. and now I forget the password and when I went to my account I just find the one keys on my account. two of my drive have same password. now I can open one of my drive. if I find the password of my account that have the key I can open the other drive.

    How can I find the password when we have recovery key?

    I find the password id and numerical password

    C:\Windows\system32>manage-bde -protectors -add h: -recoverykey h:
    BitLocker Drive Encryption: Configuration Tool version 6.2.9200
    Copyright (C) 2012 Microsoft Corporation. All rights reserved.

    Key Protectors Added:

    Saved to directory h:

    External Key:
    ID: {A631BD73-E1C2-4468-868F-633CB89BAB99}
    External Key File Name:
    A631BD73-E1C2-4468-868F-633CB89BAB99.BEK

    C:\Windows\system32>manage-bde -protectors h: -get
    BitLocker Drive Encryption: Configuration Tool version 6.2.9200
    Copyright (C) 2012 Microsoft Corporation. All rights reserved.

    Volume H: [Rezazy-HDD]
    All Key Protectors

    Password:
    ID: {7652F6CE-D88C-476C-B39D-D28175795000}

    Numerical Password:
    ID: {FDF0E831-353F-48C5-9F3A-C9C03E0CEA78}
    Password:
    106007-591283-270710-254309-670945-631730-606342-502788

    External Key:
    ID: {A631BD73-E1C2-4468-868F-633CB89BAB99}
    External Key File Name:
    A631BD73-E1C2-4468-868F-633CB89BAB99.BEK

  15. Iva says:

    Hi dear

    I have windows 10.
    I find the password id and numerical password

    Microsoft Windows [Version 10.0.10586]
    (c) 2015 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>manage-bde -protectors D: -get
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume D: [Label Unknown]
    All Key Protectors

    Numerical Password:
    ID: {7601E5E2-6BF8-43E9-85E5-E703FDBDC86A}

    Password:
    ID: {BDC9BEB5-AB77-47FA-950E-CD9A14FB7079}

    C:\Windows\system32>Microsoft Windows [Version 10.0.10586]
    ‘Microsoft’ is not recognized as an internal or external command,
    operable program or batch file.

    C:\Windows\system32>(c) 2015 Microsoft Corporation. All rights reserved.
    2015 was unexpected at this time.

    C:\Windows\system32>
    C:\Windows\system32>C:\Windows\system32>manage-bde -protectors D: -get
    ‘C:\Windows\system32’ is not recognized as an internal or external command,
    operable program or batch file.

    C:\Windows\system32>BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    ‘BitLocker’ is not recognized as an internal or external command,
    operable program or batch file.

    Now what shoud i do?

  16. mariusips says:

    please help

    volum c: label unknow
    all key protectors
    numerical password
    id:{A735E020-E32E-47C2-8895-70EE916C510E}
    TPM:
    ID: {6190BC03-8370-4595-A4CC-1B66D5263F88}
    PCR VALIDATION PROFILE:
    7, 11

  17. Narasimha says:

    Hi,

    I just used bitlocker to one of my drives and when I am trying to unlock it the password I have used is showing as incorrect. I have tried with my recovery key also. The same result.

    I have used with the command prompt also. It showing as error with the recoverykey.
    what should I do?? The data on the drive is very important for me.

  18. coolguy9000 says:

    Hello All,

    Firstly, thank you for the info posted here. It provide me with a big boost in troubleshooting my issue.

    I wanted to ask here because this is where I started troubleshooting the issue I’m having with a USB removable drive that was somehow encrypted/locked by Bitlocker To Go. I say somehow because I never remember being prompted like I was for the OS drive to encrypt my removable USB drives. Maybe the
    somehow” is a clue?!

    Another key piece of info is that it was Symantec Endpoint Encryption that facilitated the encryption of the OS drive. SEE is installed by my company by policy. Since my company, Veritas, used to be Symnatec I even contacted a few SEE support guys who say that the issue is with Bitlocker and not SEE. Although like I mentioned, I was never prompted to encrypt the removable USB drives.

    Here’s what I’ve tried so far;

    1. I ran the protectors get command mentioned above

    c:\Windows\System32>manage-bde -protectors g: -get
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume G: [Label Unknown]
    All Key Protectors

    Numerical Password:
    ID: {27319850-4EB5-42AC-9BA5-1C0CCB997EE7}

    External Key:
    ID: {A4A49BE5-70A4-4388-8B2F-8C13B1CA765C}
    External Key File Name:
    A4A49BE5-70A4-4388-8B2F-8C13B1CA765C.BEK

    Unlike when I run the same for the OS drive, the password is never displayed in the aforementioned. This happens for all drives listed under Bitlocker To Go. I’m trying to understand why the password isn’t being displayed for these drives.

    QUESTIONS:
    Is this because it’s encrypted/locked by Bitlocker To Go in particular?
    Are there any manage-bde command syntax/flags to get this info?
    Is it because these drives were locked by Bitlocker To Go via some other Windows process/user that I cannot get the password?

    2. Fwiw, I ran manage-bde -unlock g: -sid and -pw with all of the SIDs and passwords that have logged on to the laptop.

    3. I ran the protectors add command (a few times) mentioned above Note: There’s a removable USB drive (f:) that I can connect and it doesn’t get encrypted/locked.

    c:\Windows\System32>manage-bde -protectors -add g: -recoverykey f:
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    ERROR: An error occurred (code 0x80070057):
    The parameter is incorrect.

    c:\Windows\System32>manage-bde -protectors -add g: -recoverypassword f:
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    ERROR Cannot specify multiple volumes

    c:\Windows\System32>manage-bde -protectors -add g: -cert f:
    BitLocker Drive Encryption: Configuration Tool version 10.0.10011
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    ERROR Cannot specify multiple volumes

    Note: I tried the shorten (rk and rp) in the commands with the same results

    QUESTIONS:
    Are there any manage-bde command syntax/flags to get this info?

    Can anybody help me from here? I cannot seem to get beyond this point. Any help would be appreciated, especially since the two removable USB drives contain data both work-related and personal.

    Regards, Jimmy

  19. coolguy9000 says:

    So, if I forgot to mention, I’m trying to “export” out the numerical password, recovery password, etc. from the locked drives to another drive in order to apply when unlocking the locked drives 🙂

  20. syboth3173 says:

    Ok I am having what seem the same issues as many others. I have Key ID but never got at recovery key. I alleged the command prompt but it keeps letting me the drive I am trying to access is locked and must unlock it before accessing commands. I feel trapped with this same software and can’t figure out any way to get around it. Any help?

  21. syboth3173 says:

    Ok just ran the manage-bde -protectors x: -get and got

    The Bitlocker Drive and copyright messages and be low that received

    Numerical password
    ID: and then letters and numbers
    TPM:
    ID and again letters and numbers
    pRC Validation Profile:
    7,11

    So question is the recovery passcode is all numeric but the ones recovered are numbers and letters when and how to I know which is correct and how do I get the all numberical one?

    • ncbrady says:

      well on my Surface Pro 4, which has three discs, one internal SSD, one Micro SD card and an external USB disc connected. The internal SSD is the only drive that is protected by BitLocker. Manage-bde -status reveals this:

      C:\WINDOWS\system32>manage-bde -status
      BitLocker Drive Encryption: Configuration Tool version 10.0.15007
      Copyright (C) 2013 Microsoft Corporation. All rights reserved.

      Disk volumes that can be protected with
      BitLocker Drive Encryption:
      Volume C: [Windows]
      [OS Volume]

      Size: 236.84 GB
      BitLocker Version: 2.0
      Conversion Status: Used Space Only Encrypted
      Percentage Encrypted: 100.0%
      Encryption Method: AES 128
      Protection Status: Protection On
      Lock Status: Unlocked
      Identification Field: Unknown
      Key Protectors:
      TPM
      Numerical Password

      and to reveal the Recovery Password you use manage-bde -protectors -get as shown below:

      C:\WINDOWS\system32>manage-bde -protectors -get c:
      BitLocker Drive Encryption: Configuration Tool version 10.0.15007
      Copyright (C) 2013 Microsoft Corporation. All rights reserved.

      Volume C: [Windows]
      All Key Protectors

      TPM:
      ID: {5CF6194D-5085-4DE9-AFF5-3109CAF0C5FC}
      PCR Validation Profile:
      7, 11
      (Uses Secure Boot for integrity validation)

      Numerical Password:
      ID: {D0DD2882-64FB-4D60-9AC9-D97AE30F4E53}
      Password:
      254771-168344-315458-177188-674377-037092-224455-431189

      so to unlock this BitLockered drive you’d use the password starting with 254771.

      Does this match your scenario and if not, what exactly is your issue (be descriptive…)

      • rapmendoza says:

        Hi ncbrady,

        in your last comment here:

        Numerical Password:
        ID: {D0DD2882-64FB-4D60-9AC9-D97AE30F4E53}
        Password:
        254771-168344-315458-177188-674377-037092-224455-431189

        so to unlock this BitLockered drive you’d use the password starting with 254771.

        how did you got the password itself?
        254771-168344-315458-177188-674377-037092-224455-431189

        I only got the numerical password.

        Thanks in advance.

  22. mohamed says:

    TPM NOT FOUND ON THIS COMPUTER

  23. Geordieriddle says:

    My cousin recently used CCleaner on his windows 10 notebook. upon completion, it will no longer boot up.
    I have attempted to recover the device using a number of methods but most are blocked by a message saying that the drive is locked -and asking for a bitlocker key
    When questioned, he is adamant that he has never accessed bitlocker and has no idea what it is. He has never used it or setup a password for it

    When I use the command ‘manage-bde -protectors -get c:’ above, I get;

    Numerical Password:
    ID: {A full code}

    TPM:
    ID:{A full code}
    PCR Validation Profile:
    7, 11

    As mentioned, the device will not boot up, there was no password set yet the device seemingly has been locked down by bitlocker

    Having also followed the link http://go.microsoft.com/fwlink/p/?LinkId=237614
    and logged in, it takes him to his one drive – yet there is no where to look for the key [key ID is known] amongst his stored personal files or a place for us to look to recover it

    have you come across anything similar? The device is effectively a brick at this point as the drive is locked down and therefore cannot be formatted by the external USB Win10 media

    I am aware if I remove it from the notebook and mount the drive there may be another method of recovery, but unless I have exhausted all other possibilities I would rather stay away from that solution

    thanks in advance ncbrady

  24. ruijorgevieira says:

    Hi Brady,

    My password for log in on WIN 10 expired and i dont remenber since i always log in with fingerprint. I tried some workarounds with cmd to reset the password, but since the disk is protected by bitlocker i can access. I dont have the key since its a company laptop, and i doubt that the IT guys have since their first solution proposal to this situation was to format the PC and install everything again – solution which i tried to avoid. Plus, i doubt that they had created an microsoft account.
    Therefore, there is any way that i can retrieve the key that might be inside the disk? there is any way to extract files from the disk? I have the typical ID’s that Bitlocker screen presents – that might help?

    Thank you very much in advance for your feedback.

    Rui

    • ncbrady says:

      My password for log in on WIN 10 expired and i dont remenber since i always log in with fingerprint

      if you forgot the password then login using your fingerprint….

      • ruijorgevieira says:

        🙂
        as soon as i tried to login with the fingerprint a message appears:
        “Your password has expired. To change your password, sign in with password instead of PIN”. Tried also the PIN and the same message appears.

        Any thoughts on my questions?
        Thanks!

        Rui

  25. ruijorgevieira says:

    if you mean that if is linked to an Microsoft account, no, it isnt. However, has the disk with Bitlocker.

    • ncbrady says:

      so it’s a work computer but not joined to a domain ? then there’s not a lot anyone can do to help you, if you don’t remember your own password and it’s bitlockered, and if your fingerprint cannot log you in then you are stuck…

Leave a Reply