What Is a BitLocker Recovery Key in Windows?
A BitLocker recovery key is a unique 48-digit numerical password used to unlock an encrypted Windows drive when normal unlocking is not possible. BitLocker usually unlocks the system drive automatically by using the Trusted Platform Module (TPM), your PIN, or another configured protector. If Windows cannot confirm that the boot environment is safe, it may stop at a blue BitLocker recovery screen and ask for this key.
The recovery key is not the same as your Windows password, Microsoft account password, PIN, BIOS password, or product key. It is a separate emergency credential created when BitLocker or Device Encryption is enabled.
123456-123456-123456-123456-123456-123456-123456-123456Example: A1B2C3D4The Key ID identifies which recovery key belongs to the locked drive. The recovery key is the full 48-digit number you type to unlock the drive.
Why Windows Asks for a BitLocker Recovery Key
Windows asks for the BitLocker recovery key when it detects a change that could affect the integrity of the encrypted drive or the boot chain. This does not always mean someone tried to attack the computer. It often happens after legitimate hardware, firmware, or software changes.
Common reasons for the BitLocker recovery screen
- BIOS or UEFI update changed the boot environment.
- TPM settings were reset, cleared, disabled, or changed.
- Secure Boot settings were modified.
- Boot order changed, for example after using a USB flash drive.
- Windows entered Automatic Repair after failed startup attempts.
- Major Windows update changed boot-related files.
- Disk, motherboard, or storage controller changes affected the system configuration.
- BitLocker detected a possible unauthorized access attempt.
If the prompt appeared after a firmware update or BIOS configuration change, entering the correct recovery key once may be enough. If the recovery screen returns on every boot, you should check TPM, Secure Boot, boot order, and BitLocker protector status.
How to Use the BitLocker Recovery Key ID
When the recovery screen appears, Windows displays a Recovery Key ID. Write down the first eight characters exactly as shown. This ID helps you choose the correct recovery key if your Microsoft account, work account, or administrator portal contains several keys.
- On the BitLocker recovery screen, find the Recovery Key ID.
- Write down the first eight characters.
- Open your saved recovery keys on another phone, tablet, or PC.
- Compare the Key ID on the screen with the Key ID shown next to each saved key.
- Enter the matching 48-digit recovery key.
A BitLocker recovery key is long for a reason. Use the Key ID to locate the exact matching key instead of trying random keys from another device or drive.
How to Find the BitLocker Recovery Key in a Microsoft Account
On personal Windows devices, the recovery key is often backed up to the Microsoft account that was used when Device Encryption or BitLocker was enabled. This is common on many modern Windows 11 laptops and some Windows 10 devices.
1. Use another device
Open a browser on a phone, tablet, or another computer. You cannot open Windows normally on the locked PC until the drive is unlocked.
2. Sign in to Microsoft
Go to the Microsoft recovery key page and sign in with the Microsoft account that was used on the locked device.
3. Match the Key ID
Find the recovery key whose Key ID matches the ID shown on the BitLocker recovery screen.
4. Enter the 48 digits
Type the full recovery key into the recovery screen. Hyphens are usually optional; the numbers are what matter.
Microsoft’s recovery key page is usually available through this short address:
https://aka.ms/myrecoverykeyIf someone else set up the computer, the key may be stored in that person’s Microsoft account rather than yours.
How to Find a BitLocker Recovery Key in a Work or School Account
If the PC was connected to an organization, domain, Microsoft Entra ID tenant, school account, or company management system, the recovery key may be stored by the organization. In that case, you may be able to view it yourself, or you may need to contact the IT department.
- Open a browser on another device.
- Go to the work or school recovery key page.
- Sign in with your organization account.
- Open the device list.
- Select the locked device.
- Choose the BitLocker keys option.
- Match the Key ID and enter the corresponding 48-digit key.
https://aka.ms/aadrecoverykeyFor company or school computers, do not disable BitLocker, clear the TPM, reinstall Windows, or remove the drive before checking with IT. Organization policies may require encryption and may automatically re-enable it.
Other Places Where a BitLocker Recovery Key May Be Saved
If the key is not in your Microsoft account, check every place where it could have been saved when BitLocker was enabled. The available locations depend on how encryption was turned on.
| Possible location | What to check |
|---|---|
| Printed copy | Look for a printed page titled BitLocker recovery key, recovery password, or drive encryption key. |
| USB flash drive | Check USB drives that were used when BitLocker was configured. The key may be saved as a text file. |
| Text file | Search other computers, external drives, cloud storage, or backup folders for files containing “BitLocker Recovery Key”. |
| Microsoft account | Check the account used during device setup, not only the account currently used for email. |
| Work or school account | Check the organization portal or contact IT support if the computer was managed. |
| Active Directory or management portal | For domain-joined PCs, administrators may have escrowed recovery keys in Active Directory, Microsoft Intune, or another endpoint management system. |
Search for these phrases on backup disks and cloud storage:
BitLocker Recovery Key
Recovery Key ID
Numerical Password
BitLocker Drive Encryption recovery keyHow to Enter the BitLocker Recovery Key Correctly
After you find the matching key, enter the 48 digits on the BitLocker recovery screen. On many recovery screens, hyphens are optional. You can type only the digits in sequence.
- Confirm that the Key ID on the screen matches the saved key.
- Type the 48-digit recovery key carefully.
- Use the number row or numeric keypad; avoid copying from memory.
- Press Enter.
- If Windows starts, immediately back up the key again and check why recovery was triggered.
If the key is rejected
- Check that you selected the key with the matching Key ID.
- Make sure you are not using a key from another device or another drive.
- Check for typing errors: 0 and 8, 1 and 7, repeated groups, or missing digits.
- If several recovery keys are listed, compare the date, device name, and Key ID.
How to Back Up the BitLocker Recovery Key When Windows Still Starts
If Windows still starts normally, back up the recovery key before changing BIOS settings, updating firmware, reinstalling Windows, replacing hardware, or resizing partitions. A verified backup is much safer than trying to recover the key after the device is already locked.
Method 1: Use Control Panel
- Open Start and search for Manage BitLocker.
- Open BitLocker Drive Encryption.
- Next to the encrypted drive, select Back up your recovery key.
- Choose a safe backup method, such as saving to your Microsoft account, saving to a file, or printing the key.
Method 2: Use PowerShell or Command Prompt
Open Windows Terminal, PowerShell, or Command Prompt as administrator and run:
manage-bde -protectors -get C:This command shows the protectors configured for drive C:. Look for the Numerical Password protector. If you need to save output to a file on another drive, use:
manage-bde -protectors -get C: > D:\BitLocker-Recovery-Key.txtDo not save the only copy of the recovery key on the same encrypted drive. If that drive locks, you will not be able to access the file containing the key.
How to Prevent Unnecessary BitLocker Recovery Key Prompts
Some BitLocker recovery prompts can be avoided by suspending BitLocker before planned firmware, boot, or hardware changes. Suspending protection temporarily disables BitLocker checks while keeping the drive encrypted.
Before BIOS, UEFI, TPM, or boot changes
- Open Manage BitLocker.
- Next to the system drive, choose Suspend protection.
- Perform the BIOS update, firmware update, or hardware change.
- Restart Windows successfully.
- Resume BitLocker protection.
Command-line method
manage-bde -protectors -disable C:
manage-bde -protectors -enable C:Always re-enable protection after the maintenance task is complete. Leaving BitLocker suspended weakens boot-time protection.
What to Do If the BitLocker Recovery Key Is Lost
If the recovery key is lost and the encrypted drive cannot be unlocked by any configured protector, the data on the drive is effectively inaccessible. This is the purpose of strong disk encryption: without the key, the encrypted data cannot be recovered by guessing a password or bypassing Windows.
Try these checks before giving up
- Sign in to every Microsoft account that may have been used on the PC.
- Check whether another family member, administrator, or previous owner set up the computer.
- Check work or school portals if the device was ever connected to an organization.
- Search printed documents, USB drives, external disks, cloud storage, password managers, and backup folders.
- For business PCs, contact IT support and provide the Key ID shown on the recovery screen.
You may need to wipe the drive and reinstall Windows. This removes the encrypted data. A clean installation can make the device usable again, but it cannot restore files from the locked BitLocker volume.
Useful BitLocker Administrator Commands in Windows
These commands are useful when Windows still starts or when you are working in a recovery environment with administrative access.
Check BitLocker status
manage-bde -statusShow protectors for the system drive
manage-bde -protectors -get C:Suspend protection before maintenance
manage-bde -protectors -disable C:Resume protection
manage-bde -protectors -enable C:Unlock a data drive from Command Prompt
manage-bde -unlock D: -RecoveryPassword 123456-123456-123456-123456-123456-123456-123456-123456Replace drive letters and recovery key values with your actual drive and key. Do not publish screenshots or logs that expose a real recovery key.
BitLocker Recovery Key FAQ
Q Is a BitLocker recovery key the same as my Windows password? ▼
Q Why is the BitLocker recovery key 48 digits long? ▼
Q Can Microsoft support generate a new BitLocker recovery key for me? ▼
Q Can I bypass BitLocker without the recovery key? ▼
Q Does Windows Home use BitLocker? ▼
Q What should I do after successfully entering the recovery key? ▼
🔑 Summary: Keep Your BitLocker Recovery Key Accessible
The BitLocker recovery key is the emergency unlock code for an encrypted Windows drive. It is usually a 48-digit numerical password, and the Recovery Key ID helps you identify the correct key when several keys are stored in the same account or organization portal.
The safest approach is simple: back up the key before you need it, store it outside the encrypted drive, verify that you can access it from another device, and suspend BitLocker before major BIOS, TPM, firmware, or boot configuration changes. If the key is lost and the drive cannot be unlocked, reinstalling Windows may be possible, but the encrypted files cannot be recovered from the locked volume.