How to find your Windows BitLocker recovery key

A Windows BitLocker recovery key is a 48-digit numerical password that is required to unlock your encrypted drive when BitLocker cannot automatically unlock it. When this occurs, your recovery key is the only way to unlock your device and cannot be bypassed even by professionals.

For instance, the Western Australia Police Force, in a 2024 submission to the parliamentary committee, detailed the challenges they face in accessing encrypted data, noting that the legislative and technological landscape makes it difficult to keep pace with digital criminals. This demonstrates that encryption, like the kind provided by BitLocker, is a formidable tool for data protection; one that can even challenge law enforcement agencies.

This guide will help you understand why and where to find your recovery key so that you’ll never be locked out of your own secure data.

When do you need your Windows BitLocker recovery key?

BitLocker may prompt for a recovery key after system changes it perceives as threats. Common triggers include:

• BIOS/UEFI updates
• TPM firmware changes
• Boot order modifications
• Hardware replacements

Proactive mitigation strategies include:

• Suspending BitLocker before hardware or firmware changes
• Avoiding booting with external USBs connected
• Keeping BIOS and TPM firmware updated (only after backing up recovery keys)
• Using Group Policy Editor to configure BitLocker behavior and reduce unnecessary prompts

BitLocker Storage on personal devices vs. workgroup machines

Step-by-step guide to finding your Windows BitLocker recovery key

Method 1: Microsoft Account (personal devices)

This method is best for home users or unmanaged devices, but you need to have access to your Microsoft account. Once you’ve confirmed access, follow these steps:

1. Go to the recovery portal link
2. Sign in with the Microsoft account used during BitLocker setup
3. Verify identity via 2FA if prompted
4. Locate the recovery key by matching the Key ID displayed on the locked device
5. Enter the 48-digit key on the device to unlock

Pro tip: Always enable “backup to Microsoft account” during Windows installation and setup to ensure you always have access to your BitLocker recovery keys so long as you can access your Microsoft account from any device.

» Take better control of your Windows PC: Learn about Activity History in Windows and how to enable Windows automatic updates

Method 2: Azure AD / Entra ID (cloud-joined devices)

This method works best for devices joined to Microsoft 365 or Entra ID but requires a global admin or device admin role. Follow these steps:

1. Admin logs into Entra portal
2. Navigate to Devices > All Devices
3. Select the affected device
4. Click BitLocker keys
5. Match the Recovery Key ID and copy the full key
6. Provide it to the user or enter it directly

Pro tip: Enforce automatic key backup via Intune or Endpoint Manager to make sure you don’t lose access to the keys.

» Learn more about Azure AD vs. Active Directory

Method 3: Active Directory (domain-joined devices)

This method works best for on-premises enterprise IT environments but requires the Active Directory Users and Computers (ADUC) platform as well as domain admin rights or similar. Follow these steps:

1. Open ADUC on a domain controller
2. Locate the computer object
3. Right-click > Properties > BitLocker Recovery tab
4. View stored recovery keys
5. Match the Key ID and retrieve the full key

Pro tip: You can enforce key backup to Active Directory by navigating to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives with group policy management. Here, you enable the policy “Choose how BitLocker-protected operating system drives can be recovered” and select “Save to AD DS” to automatically back up recovery keys.

» Learn all there is to know about Local Group Policy Editor

Method 4: Local File/USB/Printed Copy

This method works best for manual backup scenarios, such as workgroup or unmanaged devices, and only requires physical access to the backup. Follow these steps:

1. Search your Local Disk using File Explorer > Search: BitLocker*.txt. Then check Documents, Desktop, or Downloads folders for .txt files
2. Check USB drives or printed documents or files named named BitLocker Recovery Key.txt.
3. Match the Key ID with the prompt on the locked device
4. Enter the 48-digit key manually

Troubleshooting: What if the recovery key is still lost or doesn’t work?

Finding yourself locked out of an encrypted drive can be a stressful experience, especially when the recovery key seems to have vanished. If a device is mission-critical and the BitLocker recovery key cannot be found, try these steps:

• Assess for a recent backup: The first and most important step is to determine if a recent data backup exists. If so, the most efficient solution is to restore the data to a new device.
• Verify managed devices: For devices managed by an organization, it is critical to verify that the key was not automatically backed up to a centralized location. Check Active Directory, Azure AD, or Intune for the escrowed key.
• Attempt data recovery: If no backup is available and you’ve found the key but it isn’t working, then your drive might have suffered physical damage preventing you from gaining access. In this case you may still be able to use the BitLocker Repair Tool (repair−bde). This command-line utility is a last-ditch effort to extract any readable data from the encrypted drive, but success is not guaranteed. It doesn’t repair the drive, but attempts to reconstruct the drive’s critical encryption metadata on another drive and salvage any recoverable data blocks.

If all recovery options fail and your device is still locked, the only remaining solution is to perform a clean operating system reinstall. This will result in permanent data loss, which is why a robust backup strategy is essential. If this happened to a business PC instead of a personal PC, your organization should review their encryption policies to ensure all future keys are backed up to secure, centralized locations.

» Don’t miss these essential tools for a centralized internal IT department

Simplify your BitLocker recovery key management

While understanding the different key storage methods is crucial in case you ever need them, relying on them individually can be inefficient and risky, potentially losing you entire drives of data if you mess up. Instead, consider using specialized IT management platforms like Atera for a centralized, automated solution that removes the guesswork and manual effort from BitLocker management.

With Atera’s Autonomous IT, you can:

• Automate key backup: Atera ensures that all BitLocker recovery keys are automatically and securely backed up to your centralized dashboard. This eliminates the risk of a lost key and the potential for permanent data loss, regardless of whether a device is personal, workgroup, or domain-joined.
• Centralize recovery: Instead of navigating between different systems like Active Directory or Azure AD, you can find a device’s recovery key in seconds from within Atera’s unified platform. This streamlines the recovery process for IT professionals and drastically reduces downtime for end users.

» Want to try it out? Start a free trial with Atera or contact sales