Technical preview 2104 get BitLocker recovery keys for a tenant-attached device

Microsoft have released Technical Preview 2104 and with it comes a new BitLocker Management feature.

You can now get BitLocker recovery keys for a tenant-attached device from the Microsoft Endpoint Manager admin center. For example, a help desk technician who doesn’t have access to Configuration Manager could use the web-based admin center to help an end user get a recovery key for their device. Since this feature is still in preview, you need to access it from the Admin center preview option from the Configuration Manager console of the technical preview branch.

Let’s take a look at how that works. Below we have a client computer that is encrypted with BitLocker, has the latest ConfigMgr client agent installed and is Tenant attached.

On the client computer, let’s verify the recovery key by typing the following in an Administrative command prompt:

manage-bde -protectors -get c:

In the ConfigMgr console, locate the device that is encrypted with BitLocker and tenant attached, and right click, choose Start then select Admin center preview.

Select Recovery keys from the options available, the recovery keys will be displayed (the latest recovery key is the last one listed).

Click on Show recovery key next to the BitLocker key ID that matches the one on the client. You will get a message informing you that if you view the recovery key that it will be rotated on the client as a security measure.

Clicking Yes reveals the recovery key.

It can now be copied and shared with the end user who was locked out of their pc.

Meanwhile, on the client computer, it will rotate the key as you can see here.

and back in Admin center preview, you can see the new Recovery ID is added (as is a new recovery key).

Great work !

I didn’t see it explicitly stated but for this to work you’ll need the device encrypted via BitLocker Management in ConfigMgr








This entry was posted in 2104, BitLocker recovery via tenant attach. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.