none
Multiple bitlocker keys are showing for my intune managed devices in AzureAD. RRS feed

  • Question

  • Hi All,

    Any idea why devices are showing multiple bitlocker recovery keys.

    my case, few machines are showing more than 5 , few are showing more than 10.

    how to find correct bit locket key and how to avoid multiple bit locker keys for devices.

    Thank you.

    Thursday, September 12, 2019 10:46 AM

All replies

  • I can't tell you exactly why there are more than one key other than the key changed at some point or there are multiple volumes on the system that are protected.

    As for knowing which is correct, when you are prompted for a key, it will always present you with an ID. Match this ID to the key stored in Azure AD and that's the one you need. To determine which is currently active on a system, run

    manage-bde -protectors -get x:

    from an elevated command-prompt where x is the volume letter. If there are multiple volume letters, then you should run this for each. This will show your the ID and recovery key for the volume.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, September 12, 2019 1:50 PM
  • Probably an issue with the <g class="gr_ gr_15 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="15" id="15">tpm</g>, the encryption key is uploaded to azure but somehow the disk is not

    encrypted or something like it, or the key could not be saved to the <g class="gr_ gr_251 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="251" id="251">tpm</g>.

    If you have more than 1 key and you only encrypted the disk once it's because it's failing the disk encryption.

    <g class="gr_ gr_446 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="446" id="446">everytime</g> the <g class="gr_ gr_561 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="561" id="561">tpm</g> fails it will ask for the <g class="gr_ gr_632 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="632" id="632">bitlocker</g> key <g class="gr_ gr_656 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="656" id="656">yoo</g> and it will "<g class="gr_ gr_730 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="730" id="730">reencrypt</g> the disk" with another key.

    Thursday, September 12, 2019 2:01 PM
  • This is a known issue with Windows 10 v1809

    https://twitter.com/ConfigMgrDogs/status/1108190437108383744?s=20



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    • Proposed as answer by Albert Neef Monday, September 16, 2019 11:58 AM
    Thursday, September 12, 2019 5:21 PM