From time to time it may be necessary to create a new set of recovery information for an encrypted volume, for example, the information may have been passed to a support engineer or user to recover a laptop that had entered recovery mode. There will be no guarantee that this information hasn’t been written down and left with the computer, so to ensure the security of data on the computer a new recovery password can be generated and any previous ones deleted.
1. Suspend BitLocker Protection :
manage-bde -protectors -disable %systemdrive%
2. Delete Recovery Password :
manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
3. Add a new Recovery Password :
manage-bde -protectors -add %systemdrive% -RecoveryPassword
4. Backup the new Recovery Password :
manage-bde -protectors -adbackup %systemdrive% -ID KeyProtectorID
5. Enable BitLocker Protection :
manage-bde -protectors -enable %systemdrive%
Note : When generating a new recovery password and storing the new one in AD DS; AD DS will not overwrite the old recovery password. This is by design. BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.