You restart a perfectly healthy PC and instead of the login screen you get a blue page demanding a 48-digit BitLocker recovery key. Nothing is broken — BitLocker has decided the boot environment changed and won’t release the drive until you prove you’re allowed to. The whole job now is finding that key.
The key isn’t lost; it’s stored somewhere. Which “somewhere” depends entirely on how the drive was encrypted and who set it up. A home laptop almost always backed the key up to a Microsoft account. A work laptop put it in the company’s directory. This guide walks through every place the key lives, in the order you should check them, plus why the prompt appears and how to stop it from catching you out next time.
Where the key could be
Before hunting, work out which category your PC falls into. It narrows the search immediately.
Most likely location by PC type
| Personal PC, signed in with a Microsoft account | Microsoft account online |
|---|---|
| Work/school PC, modern cloud-managed | Entra ID (Azure AD) |
| Work PC on a traditional domain | On-premises Active Directory |
| Set up by you manually | Printout, saved .txt file, or USB stick |
Method 1: Your Microsoft account (most home PCs)
If this is a personal machine and you signed into Windows with a Microsoft account, this is almost certainly where the key is. Windows backs it up here automatically when BitLocker (or Device Encryption) is turned on.
From any phone or working computer:
- Go to account.microsoft.com/devices/recoverykey.
- Sign in with the same Microsoft account that was used on the locked PC.
- You’ll see a list of recovery keys grouped by device and Key ID.
- Match the Key ID from the BitLocker screen to the entry, then read off the recovery key.
https://account.microsoft.com/devices/recoverykeyMethod 2: Entra ID / Azure AD (work or school PC)
If a workplace handed you the laptop and it’s cloud-managed, the key is stored against the device in Entra ID (formerly Azure AD). You’ll either need admin access or a quick word with your IT team.
As an administrator:
- Open the Microsoft Entra admin center (or Azure AD in the Azure portal).
- Go to Devices → All devices and find the machine.
- Open the device and look for BitLocker keys / Show recovery key.
- Match the Key ID and read the recovery key.
As an end user, you can often self-serve at your organization’s My Account / myaccount.microsoft.com device page if IT has enabled it. If not, the help desk can retrieve it in under a minute — give them the device name and the Key ID.
Method 3: On-premises Active Directory (domain PC)
On a traditional Windows domain, BitLocker keys are commonly escrowed into AD, stored on the computer object as msFVE-RecoveryInformation. Retrieving them takes a domain admin or delegated rights.
The friendly way is the Active Directory Users and Computers console: enable the BitLocker Recovery feature, find the computer object, and open its BitLocker Recovery tab. Each key is listed with its date and Key ID.
If you’d rather use PowerShell on a domain controller or a machine with RSAT:
# Find the recovery info objects under a computer account
Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"' `
-SearchBase (Get-ADComputer "PC-NAME").DistinguishedName `
-Properties msFVE-RecoveryPassword |
Select-Object Name, msFVE-RecoveryPasswordThe Name of each object starts with the date and the Key ID, so you can pick the entry that matches the screen, and msFVE-RecoveryPassword is the 48-digit key.
Method 4: Printout, file, or USB
When BitLocker is turned on manually, Windows offers to save the key as a printout, a text file, or to a USB drive. If you set this PC up yourself, the key may be sitting in one of those places.
Places a manual backup tends to hide
- A printed sheet labelled 'BitLocker Recovery Key' filed with PC paperwork
- A .txt file named with a long GUID, on another drive or in cloud storage like OneDrive
- A USB stick kept with the laptop — the key is a plain text file in its root
- Saved into a password manager when you enabled encryption
The saved file is plain text and looks roughly like this, so it’s easy to recognise once you find it:
BitLocker Drive Encryption recovery key
Recovery Key ID: A1B2C3D4-...
Recovery Key: 123456-123456-123456-123456-123456-123456-123456-123456Why BitLocker asks for the key after BIOS changes
This part trips up a lot of people, so it’s worth understanding. BitLocker (with a TPM) ties the encryption to a set of measurements about how the PC boots — firmware version, Secure Boot state, boot files. If any of those change in a way the TPM can’t vouch for, BitLocker assumes the drive might have been moved or tampered with, and it falls back to asking for the recovery key.
Common triggers:
- A firmware/BIOS update
- Enabling or disabling Secure Boot, or changing TPM settings
- Hardware changes like swapping the motherboard
- Moving the encrypted drive to a different PC
- Sometimes a docking change or a stuck firmware setting
None of these mean BitLocker has failed. It’s doing exactly what it’s meant to. The fix is to enter the key once; after a normal boot it reseals to the new measurements and stops asking.
How to avoid the prompt: suspend before firmware work
If you know you’re about to update firmware or change Secure Boot/TPM settings, suspend BitLocker first. Suspending keeps the drive encrypted but parks the protectors so the PC can boot once without the key — which means the changed boot measurements don’t trip recovery.
# Suspend until the next restart (count = 1)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1
# Or the classic command-line tool
manage-bde -protectors -disable C:
# Resume protection afterwards
Resume-BitLocker -MountPoint "C:"Using -RebootCount 1 is the tidy approach for a single firmware update: BitLocker re-enables itself automatically after one restart, so you can’t forget to turn it back on. For a multi-restart firmware flash, suspend without a reboot count and resume manually when you’re done.
If you truly can’t find it
Be straight with yourself here: BitLocker has no back door. If the key isn’t in any Microsoft account you own, your organization’s directory, a printout, a file, or a USB stick, the encrypted data cannot be recovered. That’s the entire point of the feature.
Before giving up, run the list one more time — wrong Microsoft account and an overlooked OneDrive text file account for most “lost” keys. If it’s a work device, the help desk is your best shot; the key is very likely sitting in Entra ID or AD whether or not you can see it yourself.
Wrapping up
Finding a BitLocker recovery key is mostly about knowing where to look, and that comes down to how the PC was set up. Personal machine: check your Microsoft account online. Work machine: it’s in Entra ID or Active Directory, and IT can pull it fast. Self-managed: dig out the printout, file, or USB you saved at the time.
And once you’re back in, save yourself the repeat scare — note where your key lives, and suspend BitLocker before any firmware update or Secure Boot change so a planned boot change doesn’t lock you out.
