If your system is asking you for your BitLocker recovery key, the following information may help you locate your recovery key and understand why you may be asked to provide it. BitLocker ensured that a recovery key was safely backed up prior to activating protection.
There are several places that your recovery key may be, depending on the choice that was made when activating BitLocker:. In your Microsoft account:Sign in to your Microsoft account on another device to find your recovery key.
If you have a modern device that supports automatic device encryption, the recovery key will most likely be in your Microsoft account. For more, see Device encryption in Windows.
What Is BitLocker Recovery Key?
Note: If the device was set up or BitLocker protection was activated by another user, the recovery key may be in that user’s Microsoft account. On a printout: You may have printed your recovery key when BitLocker was activated.
Look where you keep important papers related to your computer. On a USB flash drive: Plug the USB flash drive into your locked PC and follow the instructions.
- If you saved the key as a text file on the flash drive, use a different computer to read the text file.
- In an Azure Active Directory account: If your device was ever signed in to an organization using a work or school email account, your recovery key may be stored in that organization's Azure AD account associated with your device.
- You may be able to access it directly or you may need to contact a system administrator to access your recovery key.
Where can I find my BitLocker recovery key?
Held by your system administrator: If your device is connected to a domain (usually a work or school device), ask a system administrator for your recovery key. Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized.
BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it.
This extra step is a security precaution intended to keep your data safe and secure. This can also happen if you make changes in hardware, firmware, or software which BitLocker cannot distinguish from a possible attack.
In these cases, BitLocker may require the extra security of the recovery key even if the user is an authorized owner of the device. This is to be certain that the person trying to unlock the data really is authorized.
Method 3. Find Your BitLocker Recovery Key in TXT File
There are three common ways for BitLocker to start protecting your device:. Your device is a modern device that meets certain requirements to automatically enable device encryption: In this case your BitLocker recovery key is automatically saved to your Microsoft account before protection is activated.
An owner or administrator of your device activated BitLocker protection (also called device encryption on some devices) through the Settings app or Control Panel: In this case the user activating BitLocker either selected where to save the key or (in the case of device encryption) it was automatically saved to their Microsoft account.
A work or school organization that is managing your device (currently or in the past) activated BitLocker protection on your device: In this case the organization may have your BitLocker recovery key. BitLocker is always activated by or on behalf of a user with full administrative access to your device, whether this is you, another user, or an organization managing your device.
The BitLocker setup process requires the creation of a recovery key at the time of activation. Important: If you are unable to locate a required BitLocker recovery key and are unable to revert and configuration change that might have cause it to be required, you’ll need to reset your device using one of the Windows recovery options.
Resetting your device will remove all of your files.
Windows Server 2016 and above. The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online.
(Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). A data recovery agent can use their credentials to unlock the drive.
Method 2. Find Your BitLocker Recovery Key on a USB Drive
If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed.
This method requires that you have enabled this recovery method in the BitLocker Group Policy setting Choose how BitLocker-protected operating system drives can be recovered located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives in the Local Group Policy Editor.
For more information, see BitLocker Group Policy settings.
On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use BitLocker Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode.
Method 4. Find Your BitLocker Recovery Key in a Paper Document
To take advantage of this functionality, administrators can set the Interactive logon: Machine account lockout threshold Group Policy setting located in \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options in the Local Group Policy Editor.
Method 5. Find Your BitLocker Recovery Key in Active Directory
Or they can use the MaxFailedPasswordAttempts policy of Exchange ActiveSync (also configurable through Microsoft Intune), to limit the number of failed password attempts before the device goes into Device Lockout.
Quick Navigation :
However, devices with TPM 2.0 do not start BitLocker recovery in this case.