My D driver was suddenly locked but I could not find the recovery key

Question

My D driver was suddenly locked but I could not find the recovery key

MENG Yu 0

Hello,

I have an urgent issue.

My corporate Entra ID join computer's D driver was suddenly locked.
I involved our IT admin engineers but could not find its recovery key.
User's image

I ran the cmd 'manage -bde -protectors -get D:' and got the .bek file name, but I search my all laptop folders but there is no .bek file.
User's image

I also tried below but failed too.
User's image

Please help.

0 comments

2 answers

Your answer

Answer 1

Domic Vo 23,805 Independent Advisor

Hi Meng Yu,

The error you’re seeing is expected because BitLocker protectors cannot be disabled while the drive is locked. The .bek file you saw referenced is a BitLocker key package file normally stored on a USB or in the system’s hidden folders when automatic unlock is configured, but if it’s missing, you won’t be able to use it to unlock the drive. At this point, the only supported way to regain access is with the recovery key. Since your machine is Entra ID joined, the recovery key is typically escrowed to Azure AD. You should log into the Entra admin portal, go to Devices → All devices → [select the device] → BitLocker keys, and check if the recovery key is stored there. If it’s not available, confirm with your IT team whether key escrow was enabled in your tenant; if it wasn’t, unfortunately the drive cannot be unlocked without the recovery key.

Do not attempt to bypass BitLocker, it’s designed to prevent exactly that. If the recovery key is not in Entra ID, check if it was saved to the user’s Microsoft account, printed, or stored in Active Directory if hybrid-joined. If none of those locations have the key, the drive data is unrecoverable by design. My recommendation is to escalate with your Entra ID global admin to verify whether BitLocker recovery key escrow policies were properly applied to this device.

If the above response helps answer your question, please hit "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Domic V.

MENG Yu 0 Reputation points

2026-04-30T09:42:57.9466667+00:00

Hello expert,

Very appreciated for your quick reply.
But unfortunately my IT engineer has checked all recovery ID from Microsoft Entra ID in INTUNE, but those recovery keys are incorrect to decrypt my D driver.

Also, I checked https://myaccount.microsoft.com-> Device, all those recovery keys are same with those INTUNE ones, so not working neither.

BTW, with 'manage-bde -protectors -get D:' , which list this ID, is there anyway to find its key which might be working?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Brian Huynh 3,220 Reputation points Microsoft External Staff Moderator

2026-05-12T08:54:03.49+00:00
Hello MENG Yu,

Regarding your question about the ID 3d6c2dbab8fd14d8640894e477c68d04—unfortunately, there is no way to derive or calculate the key from it. This ID is purely an identifier, similar to a serial number or a name tag. Because BitLocker uses enterprise-grade AES encryption, it is mathematically impossible to reverse-engineer or generate the actual 48-digit recovery password or the .bek file from this Protector ID.

In many corporate environments, Intune policies are successfully configured to enforce encryption and safely escrow the keys for the Operating System drive (C:). However, policies for Fixed Data Drives (like your D: drive) might be configured differently, or the automatic escrow process for secondary drives might have failed silently in the background. The keys you and your IT Admin are seeing in Intune and Entra ID are very likely the recovery keys for your C: drive only.

Since the standard Entra ID recovery path has been exhausted, we can proceed with an alternative troubleshooting path to try and locate the missing key.

First, please search for the .bek file locally and on any removable media. The .bek file (External Key) is typically generated as a hidden system file. It is often saved to a USB flash drive when the drive is first encrypted, but it might also be cached somewhere on your C: drive. Please plug in any USB drives you own, open Command Prompt as an Administrator, and run the following commands to search your C: drive and any USBs (replace E:\ with your USB drive):

dir C:\*.bek /a /s dir E:\*.bek /a /s

Next, I recommend reaching back out to your IT admin to ask if a BitLocker Data Recovery Agent (DRA) was deployed in your corporate environment. If a DRA policy was pushed via Intune or Group Policy prior to the D: drive being encrypted, your IT team can use their master DRA enterprise certificate to force-unlock the drive.

Lastly, please verify any personal Microsoft Accounts. Sometimes, during initial device setup, a personal Microsoft account (such as @outlook.com or @hotmail.com) gets linked to the Windows session. Please log into https://account.microsoft.com/devices/recoverykey with any personal Microsoft accounts you own to see if the key was escrowed there by mistake.

Answer 2

Because this is a corporate, Microsoft Entra ID–joined device, the recovery of a locked BitLocker data drive (D:) must use one of the supported recovery paths. Without a valid recovery key or recovery protector, the drive cannot be unlocked and the data can’t be accessed.

Use these steps with the IT admin team:

Try self-recovery options (if allowed)
- If the device owner is allowed to retrieve keys, sign in to https://myaccount.microsoft.com with the user’s Entra ID account.
- Go to Devices → select the affected Windows device → View BitLocker Keys.
- Match the recovery key ID shown on the BitLocker prompt for drive D: with the entry in the portal, then enter the corresponding 48‑digit recovery password on the BitLocker screen.
Helpdesk/IT recovery from Microsoft Entra ID
- If self-recovery is restricted, the helpdesk must retrieve the key:
  - Collect from the user:
    - Device name.
    - Recovery key ID shown on the BitLocker screen for drive D:.
  - In Entra ID or the BitLocker admin tools, search for the BitLocker recovery password using the device name or the recovery key ID, as described in the BitLocker recovery process helpdesk workflow.
  - Provide the 48‑digit recovery password to the user to unlock drive D:.
  - After successful unlock, rotate the recovery password using Intune/Configuration Manager or configured automatic rotation, so a new key is stored in Entra ID.
Check for other configured recovery methods
- Confirm whether recovery information for drive D: was also backed up to Active Directory or managed by MBAM:
  - For AD DS: search for the recovery password using the recovery key ID.
  - For MBAM: use the Administration and Monitoring Website → Drive Recovery, enter the user/domain and the first eight characters (or full) recovery key ID to retrieve the recovery password.
- If a Data Recovery Agent (DRA) certificate is configured for BitLocker:
  - Attach the encrypted D: drive to a device that has the DRA private key.
  - Use manage-bde -protectors -get D: to identify the DRA protector and thumbprint.
  - Unlock the drive with manage-bde -unlock D: -Certificate -ct <thumbprint>.
USB or printed recovery key
- Verify with the user whether the recovery password for drive D: was ever saved to a USB flash drive or printed:
  - If on USB, plug it into the device and follow the BitLocker prompt, or open the text file on another device and manually enter the 48‑digit key.
  - If printed, use the recovery key ID to select the correct 48‑digit key and enter it.
If no recovery information exists
- If the recovery password for drive D: is not in Entra ID, AD DS, MBAM, on a USB, or printed, and there is no DRA configured, there is no supported way to unlock the BitLocker‑protected drive.
- In that case, the only remaining option is to reformat the drive and recreate it, which permanently removes all data on D:.

For future prevention, ensure policy is configured so that BitLocker recovery information for all drives (OS and data drives) is automatically backed up to Microsoft Entra ID or AD DS, as recommended in the BitLocker recovery documentation.

References:

Share via

My D driver was suddenly locked but I could not find the recovery key

2 answers

Your answer