Share via

Bitlocker keys gone.

Faas, Jason 40 Reputation points
2026-02-04T15:52:19.29+00:00

Hey all. I made a big mistake being in a non-necessary rush and pulled a PC, swapped the hard drive, and reimaged. During the reimage, we use a PXE setup and I removed the computer in AD since the reimaging process creates the entry just to make sure there would be no issues with the overwriting. Well in doing that, I lost the bitlocker keys. I was hoping that putting the hard drive back in that computer, it would be able to pull the keys from the TPM but it is still asking for the key. Is there any way to get it to use the keys from the TPM, or am I just out of luck?

Windows for business | Windows Client for IT Pros | Devices and deployment | Recovery key
0 comments
Answer accepted by question author
  1. Jason Nguyen Tran 12,485 Reputation points Independent Advisor
    2026-02-04T16:44:18.0633333+00:00

    Hi Faas, Jason,

    Unfortunately, once a machine is removed from Active Directory and reimaged, the BitLocker recovery keys that were stored in AD are permanently lost. The TPM itself does not retain the recovery key in a way that can be reused after the operating system is reinstalled, which is why the drive is still prompting you for the key.

    BitLocker is designed this way to protect against unauthorized access, so there is no supported method to bypass the recovery prompt or extract the key directly from the TPM. The only way to regain access would have been to retrieve the recovery key from its original backup location (Active Directory, Azure AD, or manually saved file/printout). Since those keys were deleted along with the AD entry, the encrypted drive cannot be unlocked.

    Going forward, I recommend implementing a policy to automatically back up BitLocker recovery keys to Azure AD or Active Directory before reimaging, and to export them to a secure external location as an additional safeguard. This ensures that even if a machine is removed from AD, the keys remain accessible.

    I know this is not the outcome you were hoping for, but I hope this explanation clarifies why the TPM cannot be used to recover the lost keys and helps you plan stronger safeguards for future deployments. If you find this answer helpful, please click Accept Answer and kindly Upvote it so others can benefit too.

    Jason.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-04T15:52:39.52+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    If you have lost access to the BitLocker recovery keys after removing the computer from Active Directory (AD) and reimaging, it may be challenging to recover the keys directly from the TPM. The TPM is designed to secure the keys, but if the computer's identity has changed (like when you removed it from AD), it may not be able to retrieve the keys automatically.

    Here are some steps you can take to attempt recovery:

    1. Check for Backup: If you had previously saved the BitLocker recovery keys to a Microsoft account, Azure AD, or another secure location, you can retrieve them from there.
    2. Use the Administration and Monitoring Website: If your organization uses Microsoft BitLocker Administration and Monitoring (MBAM), you can check the centralized key recovery data system to see if the recovery keys are stored there.
    3. Recovery Key ID: If you have the recovery key ID, you can use it to retrieve the recovery password from the administration and monitoring website, if applicable.
    4. Contact IT Support: If your organization has an IT support team, they may be able to assist you in recovering the keys or provide additional options.

    Unfortunately, if none of these options are available, you may be unable to access the data on the drive without the recovery key. It's essential to ensure that recovery keys are stored securely in the future to prevent data loss in similar situations.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.