Question: Where does Bitlocker store the recovery key in Windows?

Windows[German]Bitlocker, the "unknown entity" I would like to paraphrase the blog post. It's about the question of where the Windows Bitlocker function actually stores the recovery key, which is needed from time to time. Before someone comes around with "in your Microsoft account", it's not always that simple. Blog reader Markus, who is an administrator, pointed out a special kind of observation in this context. Time to take another look at Bitlocker.

My Bitlocker notes

Bitlocker is the feature provided by Microsoft in Windows for encrypting data carriers. The encryption solution is integrated in both Windows 10 and Windows 11 (as well as in earlier versions of Windows) – and may also be activated on Home systems. This becomes a problem when Windows 10 Home (and also Windows 11) automatically encrypts the data carriers for consumers and suddenly requires a recovery key after a BIOS or Windows update because they are encrypted with Bitlocker. I addressed this issue in the blog post Windows 10/11 Home Edition and the OEM Bitlocker pitfall.

The Bitlocker recovery keys in question can be saved in Microsoft accounts or in the TPM. However, the function is always good for trouble when Windows wants a Bitlocker recovery key but the user does not know it. Or the machine no longer starts and people can no longer access the data on the hard disk because it is encrypted.

But where is the Bitlocker recovery key?

Blog reader Markus contacted me by e-mail recently because he had made a special observation in connection with Bitlocker and the saved recovery key. Markus noticed something special at work when he was updating the BIOS on his computer.

  • An update was started from the BIOS on the computer (it was an HP, but it doesn't matter)
  • Bitlocker then wanted the password at system startup
  • Then Bitlocker also wanted the recovery key

This is not really surprising, as the system is secured by Bitlocker. At first Markus didn't think this was a problem because the Bitlocker recovery key is stored in the Microsoft account. But when checking with a notebook, no Bitlocker recovery key was found in the Microsoft account of the affected machine. This is where many users lose their nerve, because the data remains encrypted indefinitely.

Markus wrote to me: "Well, since I'm not completely ignorant, I opted for the quickest way of BIOS rollback. That also worked wonderfully." After this rollback, he of course got into Windows without entering the recovery key. In the next step, he then began field research into the question of where the recovery key was stored by Bitlocker.

When the fire department has your Bitlocker key

He wrote to me: "After about 2 hours of research, I found out that the Bitlocker recovery key is not in my personal Microsoft account where I would have expected it to be, nor in the Microsoft account of the university where it is active as an administrator. He found the Bitlocker recovery key in the Microsoft account of his access for the fire department.

Azure Entra ID wins?

Markus didn't pursue the whole thing any further, but wrote to me that one thing was certain: Azure AD (now Entra ID) wins over the account with which you log on to the computer (Markus hadn't actually expected this). This explains why the recovery key ended up in the Microsoft account for his fire department access.

What Markus would now be very interested in, however, is the answer to the question: "Which Azure AD affiliation wins if, for example, a user uses a OneDrive with an Azure AD account from another organization?" The blog reader then spun out a scenario: "I am an evil organization and would like to use the above approach to get the recovery key. You would then have RaaS (Ransomware as a Service) if you get Bitlocker to store the key in the (malicious) Azure AD (of the attacker – in his case, the key ended up in the fire department's account). What Markus has not yet tried is a test of what happens when you set up Onedrive in an on-premises Active Directory environment (AD environment) from an organization that has Azure AD (such as the fire department in the case above).

Markus says: "If the recovery key is also lost, that would be a really bad thing. However, due to a lack of time, I can't and won't look into it any further. In any case, I was very surprised. I don't know if I've overlooked something or not considered it, maybe I even didn't understand something :). I would say that it is certainly not transparent for normal users." At this point the question to the readership: Has anyone made similar observations or can they confirm Markus' observation?

I received two responses on Facebook, which I am posting here. Thomas wrote on the question of how to specify an account to store the key "We have therefore solved this with Sophos Central Device Encryption.". And Andreas said "You configure that. AD, Entra ID or both. There's a big fat GPO / Intune profile for it. And if you enroll your device in someone's Intune then well…. is the admin."

Similar article:
Windows 10/11 Home Edition and the OEM Bitlocker pitfall

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *