BitLocker recovery overview (2024)

Table of Contents
In this article BitLocker recovery scenarios Windows RE and BitLocker recovery BitLocker recovery options BitLocker recovery password Data Recovery Agents BitLocker recovery information stored in Microsoft Entra ID BitLocker recovery information stored in AD DS Next steps FAQs
  • Article
  • Applies to:
    Windows 11, ✅ Windows 10, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive doesn't unlock using its default unlock mechanism.

This article describes scenarios that trigger BitLocker recovery, how to configure devices to save recovery information, and the options to restore access to a locked drive.

BitLocker recovery scenarios

The following list provides examples of common events that cause a device to enter BitLocker recovery mode when starting Windows:

As part of the BitLocker recovery process, it's recommended to determine what caused a device to enter in recovery mode. Root cause analysis might help to prevent the problem from occurring again in the future. For instance, if you determine that an attacker modified a device by obtaining physical access, you can implement new security policies for tracking who has physical presence.

For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Suspending BitLocker leaves the drive fully encrypted, and the administrator can quickly resume BitLocker protection after the planned task is completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.

Note

If suspended, BitLocker automatically resumes protection when the device is rebooted, unless a reboot count is specified using PowerShell or the manage-bde.exe command line tool. For more information about suspending BitLocker, review the BitLocker operations guide.

Tip

Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.

Windows RE and BitLocker recovery

Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by BitLocker. If a device is unable to boot after two failures, Startup Repair starts automatically.

When Startup Repair is launched automatically due to boot failures, it only executes operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. On devices that support specific TPM measurements for PCR[7], the TPM validates that Windows RE is a trusted operating environment and unlocks any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM is disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically, and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.

Windows RE will also ask for your BitLocker recovery key when you start a Remove everything reset from Windows RE on a device that uses the TPM + PIN or Password for OS drive protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.

The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key:

  • To activate the narrator during BitLocker recovery in Windows RE, press WIN + CTRL + Enter
  • To activate the on-screen keyboard, tap on a text input control

BitLocker recovery overview (1)

If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.

BitLocker recovery options

In a recovery scenario, the following options to restore access to the drive might be available, depending on the policy settings applied to the devices:

  • Recovery password: a 48-digit number used to unlock a volume when it is in recovery mode. The recovery password might be saved as a text file, printed or stored in Microsoft Entra ID or Active Directory. The user can supply a recovery password, if available

  • Recovery key: an encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of <protector_id>.bek. For the OS drive, the recovery key can be used to gain access to the device if BitLocker detects a condition that prevents it from unlocking the drive when the device is starting up. A recovery key can also be used to gain access to fixed data drives and removable drives that are encrypted with BitLocker, if for some reason the password is forgotten or the device can't access the drive

See Also
Solved: Unlock Bitlocker Without Recovery Key and Password

  • Key package: decryption key that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package isn't generated automatically, and can be saved on a file or in Active Directory Domain Services. A key package can't be stored in Microsoft Entra ID
  • Data Recovery Agent certificate: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key. DRAs can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the DRA to unlock it

Tip

Both the Recovery password and Recovery key can be supplied by users in the Control Panel applet (for data and removable drives), or in the preboot recovery screen. It's recommended to configure policy settings to customize the preboot recovery screen, for example by adding a custom message, URL, and help desk contact information. For more information, review the article BitLocker preboot recovery screen.

When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example:

☑️Question
🔲How does the organization handle lost or forgotten passwords?
🔲How does the organization perform smart card PIN resets?
🔲Are users allowed to save or retrieve recovery information for the devices that they own?
🔲How much do you want users to be involved in the BitLocker configuration process? Do you want users to interact with the process, be silent, or both?
🔲Where do you want to store the BitLocker recovery keys?
🔲Do you want to enable recovery password rotation?

Answering the questions helps to determine the best BitLocker recovery process for the organization, and to configure BitLocker policy settings accordingly. For example, if the organization has a process for resetting passwords, a similar process can be used for BitLocker recovery. If users aren't allowed to save or retrieve recovery information, the organization can use a data recovery agents (DRAs), or automatically back up recovery information.

The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive:

  • Choose how BitLocker-protected operating system drives can be recovered
  • Choose how BitLocker-protected fixed drives can be recovered
  • Choose how BitLocker-protected removable drives can be recovered

Tip

In each of these policies, select Save BitLocker recovery information to Active Directory Domain Services and then choose which BitLocker recovery information to store in AD DS. Use the option Do not enable BitLocker until recovery information is stored in AD DS to prevent users from enabling BitLocker unless the backup of BitLocker recovery information for the drive to Microsoft Entra ID or AD DS succeeds.

BitLocker recovery password

To recover BitLocker, a user can use a recovery password, if available. The BitLocker recovery password is unique to the device it was created on, and can be saved in different ways. Depending on the configured policy settings, the recovery password can be:

  • Saved in Microsoft Entra ID, for Microsoft Entra joined
  • Saved in AD DS, for devices that are joined to Active Directory
  • Saved on text file
  • Printed

Having access to the recovery password allows the holder to unlock a BitLocker-protected volume and access all of its data. Therefore, it's important for your organization to establish procedures to control access to recovery passwords and ensure that they're stored securely, separate from the devices they protect.

Note

There's an option for storing the BitLocker recovery key in a user's Microsoft account. The option is available for devices that aren't members of a domain and that the user is using a Microsoft account. Storing the recovery password in a Microsoft account is the default recommended recovery key storage method for devices that aren't Microsoft Entra joined or Active Directory joined.

Backup of the recovery password should be configured before BitLocker is enabled, but can also be done after encryption, as described in the BitLocker operations guide.
The preferred backup methodology in an organization is to automatically store BitLocker recovery information in a central location. Depending on the organization's requirements, the recovery information can be stored in Microsoft Entra ID, AD DS, or file shares.

The recommendation is to use the following BitLocker backup methods:

  • For Microsoft Entra joined devices, store the recovery key in Microsoft Entra ID
  • For Active Directory joined devices, store the recovery key in AD DS

Note

There's no automatic way to store the recovery key for removable storage devices in Microsoft Entra ID or AD DS. However, you can use PowerShell or the manage.bde.exe command to do so. For more information and examples, review the BitLocker operations guide.

Data Recovery Agents

DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a data drive for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs.

The benefit of using a DRA over password or key recovery is that the DRA acts as a master key for BitLocker. With a DRA you can recover any volume protected by the policy, without having to find a specific password or key for each individual volume.

To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required:

  1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate.
    1. If a key usage attribute is present, it must be either:
      • CERT_DATA_ENCIPHERMENT_KEY_USAGE
      • CERT_KEY_AGREEMENT_KEY_USAGE
      • CERT_KEY_ENCIPHERMENT_KEY_USAGE
    2. If an enhanced key usage (EKU) attribute is present, it must be either:
      • As specified in the policy setting, or the default 1.3.6.1.4.1.311.67.1.1
      • Any EKU object identifier supported by your certification authority (CA)
  2. Add the DRA via group policy using the path: Computer configuration > Policies > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption
  3. Configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker only manages and updates DRAs when an identification field is present on a drive, and is identical to the value configured on the device
  4. Configure the following policy settings to allow recovery using a DRA for each drive type:
    • Choose how BitLocker-protected operating system drives can be recovered
    • Choose how BitLocker-protected fixed drives can be recovered
    • Choose how BitLocker-protected removable drives can be recovered

BitLocker recovery information stored in Microsoft Entra ID

The BitLocker recovery information for Microsoft Entra joined devices can be stored in Microsoft Entra ID. The advantage of storing the BitLocker recovery passwords in Microsoft Entra ID, is that users can easily retrieve the passwords for the devices assigned to them from the web, without involving the help desk.

Access to recovery passwords can also be delegated to the help desk, to facilitate support scenarios.

The BitLocker recovery password information stored in Microsoft Entra ID is a bitlockerRecoveryKey resource type. The resource can be retrieved from the Microsoft Entra admin center, the Microsoft Intune admin center (for devices enrolled in Microsoft Intune), using PowerShell, or using Microsoft Graph. For more information, see bitlockerRecoveryKey resource type.

BitLocker recovery information stored in AD DS

The BitLocker recovery information for a device joined to an Active Directory domain can be stored in AD DS. The information is stored in a child object of the computer object itself. Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume.

The name of the BitLocker recovery object incorporates a globally unique identifier (GUID) and date and time information, for a fixed length of 63 characters. The syntax is <Object Creation Date and Time><Recovery GUID>.

Note

Active Directory maintains history of all recovery passwords for a computer object. Old recovery keys are not removed automatically from AD DS, unless the computer object is deleted.

The common name (cn) for the BitLocker recovery object is ms-FVE-RecoveryInformation. Each ms-FVE-RecoveryInformation object has the following attributes:

Attribute NameDescription
ms-FVE-RecoveryPasswordThe 48-digit recovery password used to recover a BitLocker-encrypted disk volume.
ms-FVE-RecoveryGuidGUID associated with a BitLocker recovery password. In BitLocker's recovery mode, the GUID is displayed to the user, so that the correct recovery password can be located to unlock the volume. The GUID is also included in the name of the recovery object.
ms-FVE-VolumeGuidGUID associated with a BitLocker-supported disk volume. While the password (stored in ms-FVE-RecoveryGuid) is unique for each recovery password, the volume identifier is unique for each BitLocker-encrypted volume.
ms-FVE-KeyPackageVolume's BitLocker encryption key secured by the corresponding recovery password. With this key package and the recovery password (stored in ms-FVE-RecoveryPassword), portions of a BitLocker-protected volume can be decrypted if the disk is corrupted. Each key package works only for a volume that has the corresponding volume identifier (stored in ms-FVE-VolumeGuid). The BitLocker Repair Tool can be used to make use of the key package.

To learn more about the BitLocker attributes stored in AD DS, review the following articles:

  • ms-FVE-KeyPackage attribute
  • ms-FVE-RecoveryPassword attribute

The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the Backup recovery password and key package policy setting must be selected in the policy that controls the recovery method. The key package can also be exported from a working volume.

If recovery information isn't backed up to AD DS, or if you want to save a key package in an alternative location, use the following command to generate a key package for a volume:

manage-bde.exe -KeyPackage C: -id <id> -path <path>

A file with a file name format of BitLocker Key Package {<id>}.KPG is created in the specified path.

Note

To export a new key package from an unlocked, BitLocker-protected volume, local administrator access to the working volume is required before any damage occurrs to the volume.

Next steps

Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive:

BitLocker recovery process >

BitLocker recovery overview (2024)

FAQs

How to solve BitLocker recovery key issue? ›

How to Solve Bitlocker Keeps Asking For Recovery Key?
  1. Method 1. Use the command prompt to unlock Bitlocker.
  2. Method 2. Turn off Bitlocker encryption.
  3. Method 3. Disable auto-unlock option.
  4. Method 4. Enable secure boot.
  5. Method 5. Update your BIOS.
  6. Method 6. Use legacy boot.
  7. Method 7. Update Windows OS.
  8. Method 8.
Mar 14, 2024

Read On
How do I get past the BitLocker recovery screen? ›

To exit the BitLocker recovery screen, you will need to enter the recovery key. The recovery key is a 48-digit code that was provided to you when you first enabled BitLocker on your device. If you don't have the recovery key, you can't enter the drive.

Discover More Details
How do I break BitLocker recovery loop? ›

How to bypass BitLocker recovery screen on startup?
  1. Method 1: Suspend BitLocker protection and resume it.
  2. Method 2: Remove the protectors from the boot drive.
  3. Method 3: Enable the secure boot.
  4. Method 4: Update your BIOS.
  5. Method 5: Disable the secure boot.
  6. Method 6: Use legacy boot.

Continue Reading
Why does my computer keep asking for BitLocker recovery? ›

If you experiences that the computer shows BitLocker recovery screen after power on, it means that the HDD/SDD has been encrypted. (HDD/SDD is locked.) Once PC hardware components have been replaced or BIOS settings have been changed, all may cause system shows BitLocker recovery screen after power on.

See Details
How do I get my BitLocker recovery key when locked out? ›

In your Microsoft account: Open a web browser on another device. Go to https://account.microsoft.com/devices/recoverykey to find your recovery key. Tip: You can sign into your Microsoft account on any device with internet access, such as a smartphone.

Find Out More
How do I unlock my BitLocker drive with the recovery key? ›

Open File Explorer, and right-click the BitLocker encrypted drive, and then click Unlock Drive. If you do not remember your Windows BitLocker password, click More Options, and then click Enter recovery key. Enter the BitLocker recovery key to unlock the drive. The recovery key is created when BitLocker is first set up.

Tell Me More
How do I exit BitLocker out of recovery mode? ›

When BitLocker system integrity validation fails while protectors are enabled, the operating system (OS) drive will be locked and the computer will start up in Recovery Mode. In order to exit Recovery Mode, the correct recovery key for the encrypted operating system drive must be entered into the field provided.

Show Me More
What if I forgot BitLocker password and recovery key? ›

If you are unable to locate a required BitLocker recovery key and are unable to revert a configuration change that might have caused it to be required, you must reset your device using one of the Windows 10 recovery options. Resetting your device removes all your files.

Explore More
Why did my laptop go into BitLocker Recovery? ›

When a machine is encrypted it stores the state of the BIOS/UEFI settings. Any changes to this state can cause the BitLocker recovery mode to kick in. This could be something as simple as choosing a different boot device at startup if not configured correctly based on the network requirements of your organization.

Continue Reading
How to reset PC without BitLocker key? ›

  1. From inside Windows Setup, press Shift+F10 to open a command prompt window.
  2. Type diskpart and press the enter key.
  3. Type list disk (look for your disk number, check the size of the disk)
  4. Type select disk <disk number>. ...
  5. Type clean.
  6. Type convert gpt.
  7. Close the command prompt window.
Mar 25, 2024

Show Me More

How do I skip preparing BitLocker recovery? ›

On the initial BitLocker recovery screen, don't enter the recovery key instead, press Esc for more recovery options and select Skip this drive at the right bottom of the corner. Step 2. Select Troubleshoot > Advanced options > Command Prompt in order.

Read The Full Story
How do I deal with BitLocker recovery? ›

The easiest way to bypass the BitLocker recovery screen is to enter the correct recovery key. Most users save their recovery keys in their USB drives. Thus, we also suggest you check your USB drive and check whether you can bypass the screen. If you can't find the BitLocker recovery key, contact your administrator.

See Details
Why do I have so many BitLocker recovery keys? ›

For multiple recovery key, based on my research, it may caused that the bitlocker process is interrupted in between either due to machine level issues like with TPM, or with the end user actions, the process starts again causing the service to generate multiple keys.

Get More Info Here
How do I turn off BitLocker recovery on my laptop? ›

Press Windows Start button. Type bitlocker. Click Manage BitLocker to enter the BitLocker Drive Encryption menu. Select Turn off BitLocker to proceed with decryption.

Continue Reading
What triggers BitLocker recovery key? ›

BitLocker recovery scenarios
  • Entering the wrong PIN too many times.
  • Turning off the support for reading the USB device in the preboot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM.
  • Having the CD or DVD drive before the hard drive in the BIOS boot order (common with virtual machines)
Jun 18, 2024

View More
How do I turn off BitLocker recovery key? ›

Press Windows Start button. Type bitlocker. Click Manage BitLocker to enter the BitLocker Drive Encryption menu. Select Turn off BitLocker to proceed with decryption.

View Details
Why can't I type in my BitLocker recovery key? ›

If you are unable to type letters in the recovery key box, it is because BitLocker recovery keys consist of 48 numbers and do not contain characters. If you are still unable to type in the recovery key box, try pressing the fn+num lock key at the same time.

See More
What if a required file couldn t be accessed because your BitLocker key? ›

A required file couldn't be accessed because your BitLocker key wasn't loaded correctly. You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.

Learn More
Top Articles
Voice over rates calculator - Voice123 Pages
Broker Embezzlement - SilverMillerLaw.com
SZA: Weinen und töten und alles dazwischen
Pet For Sale Craigslist
Ups Stores Near
Jackerman Mothers Warmth Part 3
Craftsman M230 Lawn Mower Oil Change
PontiacMadeDDG family: mother, father and siblings
According To The Wall Street Journal Weegy
Chuckwagon racing 101: why it's OK to ask what a wheeler is | CBC News
Directions To Lubbock
Wmlink/Sspr
Garrick Joker'' Hastings Sentenced
Cape Cod | P Town beach
Maxpreps Field Hockey
Newgate Honda
‘Accused: Guilty Or Innocent?’: A&E Delivering Up-Close Look At Lives Of Those Accused Of Brutal Crimes
7 Low-Carb Foods That Fill You Up - Keto Tips
Top tips for getting around Buenos Aires
Craigslist Farm And Garden Tallahassee Florida
State HOF Adds 25 More Players
Everything We Know About Gladiator 2
Vintage Stock Edmond Ok
Effingham Bookings Florence Sc
/Www.usps.com/International/Passports.htm
Busted News Bowie County
Pocono Recird Obits
Crossword Help - Find Missing Letters & Solve Clues
Boise Craigslist Cars And Trucks - By Owner
Account Now Login In
Black Panther 2 Showtimes Near Epic Theatres Of Palm Coast
Danielle Moodie-Mills Net Worth
The Ultimate Guide to Obtaining Bark in Conan Exiles: Tips and Tricks for the Best Results
Old Peterbilt For Sale Craigslist
Mp4Mania.net1
Pickle Juiced 1234
Nacho Libre Baptized Gif
The Land Book 9 Release Date 2023
Reborn Rich Ep 12 Eng Sub
Sinai Sdn 2023
Skyrim:Elder Knowledge - The Unofficial Elder Scrolls Pages (UESP)
Telugu Moviez Wap Org
My Locker Ausd
Craigs List Hartford
Ezpawn Online Payment
Ds Cuts Saugus
Take Me To The Closest Ups
Muni Metro Schedule
786 Area Code -Get a Local Phone Number For Miami, Florida
Craigslist Pets Lewiston Idaho
Obituaries in Westchester, NY | The Journal News
Latest Posts
7 Worthwhile Side Hustles for Nurses
GoDaddy - What is ENS?
Article information

Author: Neely Ledner

Last Updated:

Views: 6484

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Neely Ledner

Birthday: 1998-06-09

Address: 443 Barrows Terrace, New Jodyberg, CO 57462-5329

Phone: +2433516856029

Job: Central Legal Facilitator

Hobby: Backpacking, Jogging, Magic, Driving, Macrame, Embroidery, Foraging

Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.