Using the Retrieve All BitLocker Keys tool, you can view and copy current recovery passwords for all the sources where you have configured BitLocker keys — Configuration Manager, Active Directory, MBAM, and Entra ID.
Prerequisites
- Right Click Tools Enterprise license
- Right Click Tools Console Extension installed
- Entra ID set up for Right Click Tools, if retrieving recovery keys from that source
Recast Permissions
| Plugin | Permissions |
|---|---|
| Administration | ListActiveDirectoryServiceConnections
ListMemcmServiceConnections ListAzureActiveDirectoryServiceConnections ListMbamServiceConnections |
| ConfigMgrServer | GetBitLockerRecoveryKeys GetEntraIdInfo |
| ActiveDirectory | GetBitLockerRecoveryData |
| MicrosoftGraph | GetBitlockerRecoveryKey GetDevicesWithBitlockerKeys GetBitlockerKeyIdsForDevice |
| MBAM | GetRecoveryKeysForDevice |
Microsoft Permissions
Add the following Microsoft Graph API application permission and delegated permissions to the App registration for your Entra ID service connection.
- Device.Read.All
- User.Read
- BitlockerKey.Read.All
- BitlockerKey.ReadBasic.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
Run the Retrieve All BitLocker Keys Tool
To run the tool:
1. Right-click on a single device, multiple devices, or device collection.
2. Select Right Click Tools > Security Tools > Retrieve All BitLocker Keys.
The BitLocker Recovery Keys from Configured Sources window displays the Key Source, Recovery Key, Recovery Key ID, Date Created, and any Error.
You can copy a recovery key by right-clicking on an entry and choosing Copy Key to Clipboard.
TIP: If Right Click Tools is connected to a Recast Management Server, you can edit the sources from which the tool will retrieve recovery keys by disabling individual BitLocker Search options (BitLockerSearchAd, BitLockerSearchConfigMgr, BitLockerSearchEntraID, BitLockerSearchMBAM) in your Recast Management Server Settings. Be sure to restart your Configuration Manager console after editing recovery key sources.
The ConfigMgr BitLocker Recovery Keys tool lets you retrieve current recovery passwords stored in Configuration Manager. You can also use the Retrieve All BitLocker Keys tool to pull recovery password details from multiple BitLocker key locations.
Recast Permissions
| Plugin | Permissions |
|---|---|
| ConfigMgrServer | GetBitLockerRecoveryKeys |
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > ConfigMgr BitLocker Recovery Keys.
The ConfigMgr BitLocker Keys window that opens displays the following information:
- Machine Name
- Recovery Key
- Recovery Key ID
- Error
3. Right-click on a Recovery Key ID and click Copy Key to Clipboard.
The AD BitLocker Recovery Keys tool lets you view current recovery passwords and their detailed history. You can also use the Retrieve All BitLocker Keys tool to pull recovery password details from multiple BitLocker key locations.
Recast Permissions
| Plugin | Permissions |
|---|---|
| ActiveDirectory | GetBitLockerRecoveryData |
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > AD BitLocker Recovery Keys.
The AD BitLocker Keys window that opens displays the history of the recovery password including the dates when it was created and last changed.
See also Delegate Access to BitLocker Recovery Keys in Active Directory
The Entra ID BitLocker Recovery Keys tool lets you retrieve current recovery passwords stored in Microsoft Entra ID (formerly Azure Active Directory). This tool requires a connection to your Recast Management Server. You can also use the Retrieve All BitLocker Keys tool to pull recovery password details from multiple BitLocker key locations.
NOTE: This action currently works for comanaged devices.
Prerequisites
- Recast Management Server installed with Recast Proxy
- Users or user groups delegated access to view BitLocker Keys in Entra ID
- Service connection added from your Recast Management Server to Entra ID (Azure Active Directory)
- Minimum Recast Software version: 5.6.2407.1103
Recast Permissions
| Plugin | Permissions |
|---|---|
| MicrosoftGraph | GetBitlockerRecoveryKey GetDevicesWithBitlockerKeys GetBitlockerKeyIdsForDevice |
| Administration | ListAzureActiveDirectoryServiceConnections |
| ConfigMgrServer | GetEntraIdInfo |
Microsoft Permissions
Add the following Microsoft Graph API application permission and delegated permissions to the App registration for your Entra ID service connection.
- Device.Read.All
- User.Read
- BitlockerKey.Read.All
- BitlockerKey.ReadBasic.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
Run the Entra ID BitLocker Recovery Keys Tool
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > EntraID BitLocker Recovery Keys.
The EntraID BitLocker Keys window that opens displays the following information:
- Machine Name
- Recovery Key
- Recovery Key ID
- Date Created
- Error
3. Right-click on a Recovery Key ID and click Copy Key to Clipboard.
The MBAM BitLocker Recovery Keys tool allows you to request new MBAM recovery keys. You can also use the Retrieve All BitLocker Keys tool to pull recovery password details from multiple BitLocker key locations.
Recast Permissions
| Plugin | Permissions |
|---|---|
| MBAM | GetRecoveryKeysForDevice |
To run the tool:
1. Right-click on a device name.
2. Select Right Click Tools > Security Tools > MBAM BitLocker Recovery Keys.
3. In the MBAM Recovery Key Request window, select the reason for requesting MBAM recovery keys.
Reasons include:
- Operating System Boot Order changed
- BIOS changed
- Operating System files modified
- Lost Startup Key
- Lost PIN
- TPM Reset
- Lost Passphrase
- Lost Smartcard
- Other
4. Click Request Key(s).
TIP: You can copy a recovery key by right-clicking on an entry and choosing Copy Key to Clipboard.
