Using the Retrieve All BitLocker Keys tool, you can view and copy current recovery passwords for all the sources where you have configured BitLocker keys — Configuration Manager, Active Directory, MBAM, and Entra ID.
Prerequisites:
- Right Click Tools Enterprise license
- Right Click Tools Console Extension installed
- Entra ID set up for Right Click Tools, if retrieving recovery keys from that source
To run the tool:
1. Right-click on a single device, multiple devices, or device collection.
2. Select Right Click Tools > Security Tools > Retrieve All BitLocker Keys.
The BitLocker Recovery Keys from Configured Sources window displays the Key Source, Recovery Key, Recovery Key ID, Date Created, and any Error.
You can copy a recovery key by right-clicking on an entry and choosing Copy Key to Clipboard.
TIP: If Right Click Tools is connected to a Recast Management Server, you can edit the sources from which the tool will retrieve recovery keys by disabling individual BitLocker Search options in your Recast Management Server Settings. Be sure to restart your Configuration Manager console after editing recovery key sources.
The ConfigMgr BitLocker Recovery Keys tool lets you retrieve current recovery passwords stored in Configuration Manager.
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > ConfigMgr BitLocker Recovery Keys.
The ConfigMgr BitLocker Keys window that opens displays the following information:
- Machine Name
- Recovery Key
- Recovery Key ID
- Error
3. Right-click on a Recovery Key ID and click Copy Key to Clipboard.
The AD BitLocker Recovery Keys tool lets you view current recovery passwords and their detailed history.
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > AD BitLocker Recovery Keys.
The AD BitLocker Keys window that opens displays the history of the recovery password including the dates when it was created and last changed.
See also Delegate Access to BitLocker Recovery Keys in Active Directory
The MBAM BitLocker Recovery Keys tool allows you to request new MBAM recovery keys.
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > MBAM BitLocker Recovery Keys.
3. In the MBAM Recovery Key Request window, select the reason for requesting MBAM recovery keys.
Reasons include:
- Operating System Boot Order changed
- BIOS changed
- Operating System files modified
- Lost Startup Key
- Lost PIN
- TPM Reset
- Lost Passphrase
- Lost Smartcard
- Other
4. Click Request Key(s).
TIP: You can copy a recovery key by right-clicking on an entry and choosing Copy Key to Clipboard.
The Entra ID BitLocker Recovery Keys tool lets you retrieve current recovery passwords stored in Microsoft Entra ID (formerly Azure Active Directory). This tool requires a connection to your Recast Management Server.
Prerequisites
- Recast Management Server installed with Recast Proxy
- Users or user groups delegated access to view BitLocker Keys in Entra ID
- The following permissions added from the Microsoft Graph API for the application:
Delegated permissions- User.Read
- BitlockerKey.Read.All
- BitlockerKey.ReadBasic.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
Application permissions
- Device.Read.All For more information, see our article on setting up Graph API permissions for Right Click Tools.
Run the Entra ID BitLocker Recovery Keys Tool
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > EntraID BitLocker Recovery Keys.
The EntraID BitLocker Keys window that opens displays the following information:
- Machine Name
- Recovery Key
- Recovery Key ID
- Date Created
- Error
3. Right-click on a Recovery Key ID and click Copy Key to Clipboard.