Prompt device administrators to back up a missing BitLocker recovery key

UPDATED: July 17, 2023 by Technoyl Team

In specific cases, a device owner may not have a BitLocker recovery key backed up. This feature will present a prompt for MSA admins of non-domain-joined devices to back up their BitLocker recovery key if they may not have one.

Prompt device administrators to back up a missing BitLocker recovery key

Prerequisites

The Windows edition on the device is Pro/Enterprise. BitLocker is enabled on the device for the operating system drive. The device does not support automatic Device Encryption. The device is not domain joined to classic AD or Azure AD. Two device administrator accounts, at least one of them is a Microsoft Account (MSA).

Steps

  1. Sign in with an administrator MSA account.
  2. Ensure your device does not support automatic device encryption.
    1. Check for a Device encryption page link near the top of the Settings > Privacy & security page. If you see a Device encryption page, then this feature will not run on this device.
    2. All Surfaces and most modern laptops support Device encryption, so this feature will not work on these modern devices.
  3. Ensure that BitLocker is enabled on the device for the OS drive. Start Menu > Type “bitlocker” > Manage BitLocker. Turn on BitLocker if it isn’t turned on.
  4. Launch the Windows Security app.
  5. Open the Device security page.
    1. If a BitLocker recovery key is not backed up, a warning to back it up will show up under the Data encryption section. (it would also be visible on the app’s main page).
    2. If there are no known problems with your recovery key, no warning will be shown.
  6. If prompted, follow the prompt to back up your recovery key to your preferred method or select Dismiss.
  7. The warning should disappear once your key is safely backed up.
  8. If no prompt was shown and you wish to intentionally produce the warning to back your key up, you can follow the steps below:
    1. Ensure the device does not support Device encryption (step 2) and is not domain joined.
    2. If needed, add a second administrator account to the device, ensuring at least one of them is an MSA account.
    3. Log in with an administrator account other than the MSA admin account you will later use to execute the steps (can be a local or MSA account).
    4. Open the Manage BitLocker control panel page by searching for “Bitlocker” in the Start menu.
    5. If your OS volume (usually C:) is encrypted, decrypt it, and wait for decryption to complete.
      1. You may be required to decrypt other data volumes along with the OS volume.
      2. Remember to re-encrypt them as well after you complete these steps.
    6. Turn on BitLocker for your OS volume (default settings are fine) and wait for encryption to complete.
    7. Log out and then log in with the MSA admin account that you were planning to execute the steps with.
    8. Wait at least 2 minutes and then return to step 4. You should see the warning in the Windows Security app’s Device security page because this MSA account did not get a key backed up when the other account encrypted the drive.
  9. If you enabled BitLocker for the operating system drive in step 3 and do not wish to leave it enabled, turn it off by navigating to Start Menu > type “bitlocker” > Manage BitLocker > Turn off BitLocker.
  10. If you added a new account in the steps above, you may want to remove the account from the device.
  11. If you decrypted any data volumes in the steps above, don’t forget to re-encrypt them.

YOU MAY ALSO LIKE: