Windows Azure Active Directory and BitLocker Recovery Keys

This past March I wrote a post about using Azure Active Directory B2B for working alongside partner organizations. This post outlined how Cloud Construct uses Azure Active Directory to source users for our internal tooling as well as collaborating with clients. Cloud Construct is a virtual web development company with employees located in the Boston area.  We need to leverage tooling that enables us to be efficient, secure and scalable.  Azure Active Directory allows our employees to connect securely to their workstations and our code bases using their Cloud Construct domain accounts.  All good!

Microsoft BitLocker Drive Encryption

Many people leverage Microsoft BitLocker to protect their PC's from un-authorized access to drive data and potential deletion of important drive data.  BitLocker encrypts all data of a drive so any malicious attempts at accessing or removing data from a protected drive is very difficult without having access to the drive PIN.  When I first configured my Surface Pro 3, I turned on BitLocker to protect my drive.  After following this post from Windows Central my drive was protected. There is an important step (8) where the system asks you how you want to store your recovery key.  At the time, I didn't think twice about storing my key in my account so I clicked “OK.”  I figured I would never need to use the key and thought even if I lost it there must be a way to recover your own computer.

Microsoft Updates & BitLocker

Most PC's have automatic updates turned on and no firmware changes are ever required when installing these updates.  However, sometimes firmware updates are pushed down and this requires a device restart and drive configuration changes.  If you have BitLocker turned on, you will be forced to enter your BitLocker PIN to complete the updates. Sounds like it makes sense, right?  Well it is kind of a pain when you're starting a work week and you don't remember anything about turning on BitLocker since you originally purchased the device. It results in you frantically guessing a PIN you created over a year ago and never wrote down. This is exactly what happened to me and I was presented with this screen:

Frightening on a Monday morning and you need to get your work week started!  I spent a lot of time trying to resolve the issue and remember my BitLocker PIN. I also Googled looking for ways to access the drive without your PIN. 

The result I came up with was I needed to enter a BitLocker recovery key. Flashback to Step (8) above in my BitLocker setup. I didn't write the key down. I didn't put it on a USB stick. What did I do with it? I selected to save it to my Microsoft Account. All the posts I read said it usually is backed up to your OneDrive storage location to a Recovery Key page. I tried accessing the page, however, it only had old computer keys stored there from years ago. Besides, this was my personal account and not my organization/Azure Active Directory account.

As mentioned earlier, Cloud Construct sets up our organization in Azure Active Directory and all computers require you to sign in using these domain credentials. I read some posts that mentioned if you are on a domain and use BitLocker, you can contact your Network Administrator and receive your key from them.  Apparently it is stored in Active Directory and can be retrieved by an IT professional.  We don't have one of those!  We're a virtual company and use Azure Active Directory. I was stumped. It got me thinking that if we use Azure Active Directory maybe Microsoft was smart and sends the key to the Active Directory in the Azure Portal.  Keep in mind this thought came to me as I was contemplating wiping my entire drive and starting over. I wasn't even sure I could do this anyways since BitLocker prevents this.  The same reason why there is no "easy way" to just disable BitLocker. The point is to not allow anyone to decrypt the drive or access it. There is no backdoor on purpose.

The Solution

After almost wiping my drive and starting with a new development machine, I decide to login to the Windows Azure portal to see if maybe Microsoft replicated user recovery keys somewhere in there. After all, this is where a Network Administrator would find the recovery key for a PC in a traditional onsite hosting environment with Active Directory.  I logged in as the Tenant Admin and browsed to Azure Active Directory and then exposed the list of users in the company.  I clicked into my name and looked for something resembling a Recovery Key. I clicked on the Devices tab, and was shown the following screen:

No!  I didn't see anything!  I was defeated. Then, in the classic portal way, the most important information appeared at the bottom of the screen.  I noticed the "View Details" button for an individual device at the bottom. I clicked this and BAM! There it was!

I was so pumped. I went back to my Surface and typed in the key at the prompt and away we went with the updates. I couldn't believe it. It was right where it was supposed to be. In order for me to find it, it took me talking it out in my head on where this key might logically be located.  Only then was I able to properly Google the information I needed.  Once I did, I could find a few other posts about this. This being one of them.

It was so simple!  Of course, this is where the key should go!  The post I read also detailed that users can access their keys at   However, I couldn't find a devices tab to use in my account. 

If you are in a jam like I was, I hope this post helps you.  I was excited to see Microsoft had planned for this scenario with the new Active Directory roll-out. Azure has been a great place for us to build out our company in a scalable/virtual way. Good luck!