BitLocker Recovery Key Management
A BitLocker recovery key is a unique 48-digit numerical password that can unlock a BitLocker-encrypted drive when the normal authentication method — such as a TPM check or PIN — fails or is unavailable. Zecurit automatically captures and stores recovery keys for every managed device that has BitLocker encryption enabled, making key retrieval fast and auditable without manual tracking.
This page explains how recovery keys are stored in Zecurit, how to retrieve a key when a device is locked, and how to configure key rotation policies.
How Zecurit Stores Recovery Keys
When a BitLocker policy is applied to a device and the “Update recovery key to domain controller” option is enabled in your profile, the Zecurit agent transmits the recovery key to your Active Directory domain controller at the time of encryption. Zecurit also retains a reference to the key in its console, allowing authorized administrators to retrieve it directly without needing access to Active Directory management tools.
Recovery keys are stored securely, encrypted in transit and at rest. Access to recovery keys in the Zecurit console is controlled by role-based permissions, so only designated administrators can view key values.
When a Recovery Key Is Needed
A recovery key is required in the following situations: The user has forgotten their BitLocker PIN or passphrase. The TPM chip has changed its state due to a firmware update, BIOS change, or hardware replacement. The device detects an unauthorized change to the boot environment. Too many incorrect PIN attempts have triggered BitLocker lockout. The hard drive has been moved to a different machine.
In any of these cases, Windows will prompt the user to enter a 48-digit recovery key before granting access to the drive.
How to Retrieve a Recovery Key in Zecurit
To retrieve a recovery key for a locked device, log in to the Zecurit console and navigate to Groups and Devices. Locate the affected device using the search bar or by browsing the device group. Open the device detail view and click the Recovery Key tab. The current stored recovery key for the device will be displayed. Copy the 48-digit key and provide it to the user or use it to unlock the device remotely.
All key access events are automatically logged in the Recovery Key Audit Log, including the administrator’s identity and the date and time of access.
Providing the Recovery Key to a Locked User
When a user’s device is locked and they need the recovery key, the recommended workflow is: The user contacts the IT helpdesk and provides their device name or serial number. The helpdesk administrator locates the device in Zecurit and retrieves the recovery key from the Recovery Key tab. The administrator verifies the user’s identity before sharing the key. The administrator reads or pastes the 48-digit key to the user. The user enters the key on the locked device. Once the device boots successfully, the user can reset their PIN or passphrase.
After Using a Recovery Key
Once a recovery key has been used to unlock a device, it is considered consumed. If automatic key rotation is enabled in your BitLocker policy, Zecurit will generate and store a new recovery key at the next check-in. If rotation is not enabled, the same key remains active. It is a security best practice to rotate the recovery key after each use to prevent the same key from being reused.
Configuring Recovery Key Rotation
Key rotation is configured within the BitLocker policy profile under the Recovery Key Management section. Enable the Allow periodic rotation of recovery key checkbox and enter a rotation period in days (for example, 90 days). After each rotation period, Zecurit instructs the agent to generate a new BitLocker recovery key and back it up to Active Directory and the Zecurit console. The old key is invalidated.
Automatic key rotation is strongly recommended for high-security environments and is a best practice for meeting data protection audit requirements.
Troubleshooting Recovery Key Issues
If a recovery key is not available in Zecurit for a device, it may be due to one of the following reasons: The “Update recovery key to domain controller” option was not enabled in the BitLocker policy at the time of encryption. The device was encrypted before being enrolled in Zecurit. The device has not checked in with Zecurit since the policy was applied. An Active Directory write error occurred during key backup.
In these cases, you can manually retrieve the recovery key from Active Directory using the BitLocker Recovery Password Viewer in Active Directory Users and Computers, or by running manage-bde -protectors -get C: on the device itself (requires local administrator access).