I recently purchased a Microsoft Surface Pro 4 which came with Windows 10. BitLocker was enabled by default during setup, however the recovery key was automatically uploaded to my Microsoft account. While this is a really good feature and for the vast majority of users will not pose a problem, I have slightly different concerns than the average user… therefore I decided I did not want my recovery key to be entrusted to Microsoft.
The quickest and easiest option was to delete the recovery key from my Microsoft account, which can be done here. However although this would remove my ability to get my recovery key from my Microsoft account it gives me absolutely no guarantee that Microsoft actually deleted it in any kind of permanent way, and given that everyone has a rigorous backup process (right? 😉 ), it is actually very likely that they actually still have my recovery key.
To have slightly more confidence I decided to change both the TPM Owner Password and BitLocker Recovery Key on my machine and keep them in a safe place offline in case I ever needed them.
To change the TPM Owner Password, open tpm.msc, then select “Change Owner Password…” in the top right, I followed the prompts within the dialogue box to change the password and save the file to external media.
To change the BitLocker Recovery Key is slightly more involved and utilises the BitLocker Device Encryption Configuration Tool:
Assuming C: is the BitLocker protected drive you want to change recovery password do the following within an elevated command prompt.
List the recovery passwords:
manage-bde C: -protectors -get -type RecoveryPassword
Locate which protector you want to change, there is probably only one, and copy its ID field including the curly braces.
Delete this protector:
manage-bde C: -protectors -delete -id [ID you copied]
Create a new protector:
Type manage-bde C: -protectors -add -rp
Note you can specify a 48 digit password at the end of the previous command if you wish, however if one is not specified one is randomly generated for you – computers are much better at randomly generating passwords than you so probably best to let it do it.
Take heed of the output of the last command:
ACTIONS REQUIRED: 1. Save this numerical recovery password in a secure location away from your computer: [YOUR RECOVERY KEY IS HERE] To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encrypted volume.
As always, if you have any comments or suggestions please feel free to get in touch.