Microsoft have released Technical Preview 2104 and with it comes a new BitLocker Management feature.
You can now get BitLocker recovery keys for a tenant-attached device from the Microsoft Endpoint Manager admin center. For example, a help desk technician who doesn’t have access to Configuration Manager could use the web-based admin center to help an end user get a recovery key for their device. Since this feature is still in preview, you need to access it from the Admin center preview option from the Configuration Manager console of the technical preview branch.
Let’s take a look at how that works. Below we have a client computer that is encrypted with BitLocker, has the latest ConfigMgr client agent installed and is Tenant attached.
manage-bde -protectors -get c:
In the ConfigMgr console, locate the device that is encrypted with BitLocker and tenant attached, and right click, choose Start then select Admin center preview.
Select Recovery keys from the options available, the recovery keys will be displayed (the latest recovery key is the last one listed).
Click on Show recovery key next to the BitLocker key ID that matches the one on the client. You will get a message informing you that if you view the recovery key that it will be rotated on the client as a security measure.
Clicking Yes reveals the recovery key.
Meanwhile, on the client computer, it will rotate the key as you can see here.
I didn’t see it explicitly stated but for this to work you’ll need the device encrypted via BitLocker Management in ConfigMgr