If your computer asks you for your BitLocker recovery key, the information below may help you find it and figure out why it is asking for it.
Where is my Microsoft BitLocker recovery key located?
Before turning on protection, BitLocker probably ensured that a recovery key was safely backed up. Depending on what you chose when you turned on BitLocker, your recovery key could be in one of these places:
To find your recovery key in your Microsoft account, open a web browser on another device and sign in to your Microsoft account. This is probably where your recovery key will be.
You can go to https://account.microsoft.com/devices/recoverykey or use the link above.
When BitLocker was turned on: you may have printed out your recovery key. Check where you keep critical computer-related papers.
On a USB flash drive: Plug the USB flash drive into your locked PC and follow the directions. If you saved the key as a text file on the flash drive, read the text file on a different computer.
In an Azure Active Directory account: If your device has ever been signed into an organization using a work or school email account, your recovery key may be stored in that organization’s Azure AD account. You might be able to get to your recovery key right away, or you might need to talk to a system administrator.
Your system administrator holds your recovery key: Ask a system administrator for your recovery key if your device is connected to a domain (usually work or school device).
|Important: Suppose you can’t find the BitLocker recovery key and can’t undo any change to the configuration that might have made it necessary. In that case, you’ll need to use one of the Windows recovery options to reset your device. When you reset your device, all of its files will be erased. Microsoft support can’t give you a lost BitLocker recovery key or make a new one.|
What is BitLocker recovery?
BitLocker recovery is the process of regaining access to a BitLocker-protected drive if you can’t unlock it the usual way. In a recovery situation, you can get back into the drive in one of the following ways:
The user can give the recovery password. If your organization lets users print or save recovery passwords, the user can type in the 48-digit recovery password that they printed or saved on a USB drive or with their Microsoft Account online. (You can only save a recovery password online with your Microsoft Account if you use BitLocker on a PC that is not part of a domain.)
Someone who helps with data recovery can use their credentials to get into the drive. If the drive is an operating system drive, the data recovery agent needs to mount it as a data drive on another computer. A domain administrator can get the recovery password from AD DS, who can then use it to open the drive.
It is recommended to store recovery passwords in AD DS so that IT professionals can get recovery passwords for their organization’s drives if needed. This method only works if you have turned on this recovery method in the BitLocker Group Policy setting. Choose how BitLocker-protected operating system drives can be recovered.
You can find this setting in the Local Group Policy Editor under Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System Drives. Check out BitLocker Group Policy settings to learn more.
What is my BitLocker recovery key?
Your BitLocker recovery key is a unique 48-digit number that can be used to unlock your system if BitLocker can’t be sure that the attempt to access the system drive is authorized.
Why is Windows asking for my BitLocker recovery key?
BitLocker is the encryption technology that comes with Windows. It keeps your data from being accessed by people who shouldn’t be able to by encrypting your drive and requiring one or more authentication factors before it will unlock it.
Windows will ask for a BitLocker recovery key if it thinks someone is trying to access the data without permission.
This extra step is a security measure meant to keep your information safe.
This can also happen if you change hardware, firmware, or software in a way that BitLocker can’t tell isn’t an attack. Even if the user is the legal owner of the device, BitLocker may still ask for the recovery key in these situations.
If you are more keen to know about Microsoft Authenticator app, you can go and visit aka.ms/authapp.
This is to ensure that the person trying to get into the data has permission to do so.
How was BitLocker activated on my device?
BitLocker can usually start to protect your device in one of three ways:
- Your device is new and meets specific requirements to enable device encryption automatically. In this case, your BitLocker recovery key is automatically saved to your Microsoft account before protection is turned on.
- BitLocker (sometimes called “device encryption” on some devices) was turned on through the Settings app or Control Panel by the owner or administrator of your device. The user who turned on BitLocker either chose where to save the key or, if device encryption was turned on, the key was automatically saved to their Microsoft account.
- BitLocker protection was put on your device by work or school organization that is in charge of it now or in the past. In this case, the organization may have your BitLocker recovery key.
Back up your BitLocker recovery key
BitLocker is the encryption technology that comes with Windows. It keeps your data from being accessed by people who shouldn’t be able to by encrypting your drive and requiring one or more authentication factors before it will unlock it. In everyday situations, BitLocker opens when you sign into Windows.
But if Windows thinks someone is trying to access the drive without permission, it will ask for a BitLocker recovery key. This can also happen if you change hardware, firmware, or software in a way that BitLocker can’t tell isn’t an attack. BitLocker may need the extra security of the recovery key in these situations.
You must have a copy of this key in case you lose it. Microsoft support can’t give you the key or make a new one if you lose it. Most of the time, your key is backed up when you first turn on BitLocker, but it’s still a good idea to do your own.
How to back up the key
- Press the Windows Start button and type BitLocker.
- Choose the Manage BitLocker Control Panel app from the search results list.
- Choose “Back up your recovery key” in the BitLocker app.
- Select where you want the key backed up
- Save to your Microsoft Account: This will save the key in the Recovery Keys library of your Microsoft Account, so you can quickly get to it from any computer in the future.
- Save to a USB flash drive: If you have a flash drive on hand, you can save the key. If your computer ever asks for the key again, just plug in that USB drive and follow the instructions on the screen. The key only takes up a few KBs, so the drive doesn’t have to be significant.
- Save to a file: Your recovery key can abe saved on any device as a plain text file. If you need that file again, you can open it with any text editor like Notepad or Microsoft Word to see the key. You won’t be able to save it to the encrypted BitLocker drive, so if you don’t have a second, unencrypted volume on the device, you may have to save it to a USB drive.
- We suggest you copy or move that text file to your OneDrive Personal Vault, where it will be safe, secure, and easy to get to from any device.
- Print the recovery key – If you’d rather, you can print the recovery key.
- Select Finish
BitLocker recovery guide
- Windows 10
- Windows 11
- After Windows Server 2016
This article for IT professionals explains how to get BitLocker keys from Active Directory Domain Services (AD DS).Organizations can access BitLocker-protected files using the recovery information stored in AD DS. Creating a recovery model for BitLocker is a good idea while planning how to use BitLocker.
This article assumes you know how to set up AD DS to back up BitLocker recovery information automatically and what kinds of recovery information are saved to AD DS. This article does not explain how to set up AD DS to store the information needed to recover from BitLocker.