Skip to main content
Search
< All Topics
Print

How to Fix Windows Asking for BitLocker Recovery Key at Startup

Posted
Updated
ByKartik Periasamy


📄 Windows & Devices
🕑 5 min read
Cybergate IT Team
BitLocker recovery key screen Windows blue screen at startup
The BitLocker recovery screen appears when Windows detects changes that could indicate tampering or hardware modification.

The BitLocker recovery screen is a blue screen that appears before Windows loads, showing a recovery key ID and requesting a 48-digit recovery key. This is BitLocker’s security mechanism – it detected something unusual and wants proof that the person accessing the drive is authorised. This guide covers finding your recovery key, entering it and preventing the issue from recurring.

This Is Not a Virus or Hack

Seeing the BitLocker recovery screen does not mean you have been hacked. It is a security feature that triggers when the PC detects hardware changes, firmware updates or other events that BitLocker treats as potential tampering.

Step 1: Find the Recovery Key

The BitLocker recovery screen shows a Recovery Key ID (a short identifier like 3F2A1B4C). Use this ID to find the correct key from your saved locations.

1

Check Microsoft Account (Most Common)

On another device (phone or another PC), open a browser and go to: account.microsoft.com/devices/recoverykey

Sign in with the same Microsoft account used on the locked PC. If the recovery key was saved to the Microsoft account during BitLocker setup, it will appear here with the device name and Key ID. Match the Key ID shown on the BitLocker screen to the one on this page.

2

Check Azure AD (Work Devices)

For work devices managed by an organisation, the IT admin can find the key in:

  • Microsoft Intune admin centre: endpoint.microsoft.com > Devices > select device > Recovery keys
  • Azure AD: aad.portal.azure.com > Devices > select device > BitLocker keys
  • Microsoft 365 admin centre (if using Business Premium): active devices list

Contact your IT department or managed IT provider to retrieve the key.

3

Check Other Saved Locations

If the recovery key was not saved to a Microsoft account:

  • USB drive: Look for a text file named something like BitLocker Recovery Key 3F2A1B4C.txt on any USB drives saved during setup
  • Network drive or SharePoint: Search for BitLocker Recovery Key in your shared drives
  • Printed copy: Check physical files – the key is a long number on a printed page
Microsoft account BitLocker recovery key page
Find the BitLocker recovery key at account.microsoft.com/devices/recoverykey

Step 2: Enter the Recovery Key

4

Type the 48-Digit Key

On the blue BitLocker recovery screen, the cursor is already active in the recovery key input field. Type the 48-digit recovery key carefully. The key is in the format: 123456-234567-345678-456789-567890-678901-789012-890123 (8 groups of 6 digits separated by hyphens).

You do not need to type the hyphens – type just the numbers and BitLocker adds the formatting automatically. Press Enter when complete.

If the key is accepted, Windows will proceed to boot normally. If rejected, verify you have the correct key (matching Key IDs) and that you typed it correctly.

Step 3: Investigate and Prevent Recurrence

5

Identify What Triggered Recovery Mode

After booting into Windows, open Command Prompt as Administrator and run:

manage-bde -status C:

This shows the current BitLocker status. Open Windows Event Viewer (search in Start menu). Navigate to Windows Logs > System. Look for events around the time BitLocker triggered – look for events related to TPM, Secure Boot or BIOS changes.

Common causes and fixes:

  • BIOS/UEFI firmware update: Normal one-time occurrence. No action needed – subsequent boots will be normal.
  • Secure Boot disabled in BIOS: Re-enable Secure Boot in BIOS/UEFI settings.
  • TPM not functioning: Check Device Manager for TPM errors. Run tpm.msc and check TPM status.
  • Hardware change (new RAM, SSD): One-time occurrence after new hardware. Normal after first boot.
6

Suspend BitLocker Before Planned Maintenance

Before any planned maintenance that might trigger BitLocker recovery (BIOS update, hardware change), suspend BitLocker first. Open Command Prompt as Administrator and run:

manage-bde -protectors -disable C:

Perform the maintenance work. After completing maintenance and booting Windows successfully, re-enable BitLocker protection:

manage-bde -protectors -enable C:

Suspending BitLocker allows Windows to boot without requiring the recovery key, even through events that would normally trigger recovery mode.

Need IT Help in Malaysia?

Cybergate provides managed IT support for businesses across Malaysia. Our team is available Monday to Saturday, 9am to 6pm.

📞 Get Free Help
🛤 WhatsApp Us

Frequently Asked Questions

BitLocker enters recovery mode when it detects changes that could indicate tampering or hardware changes. Common triggers: BIOS/UEFI firmware update, Secure Boot settings changed, significant hardware change (new RAM, motherboard), incorrect PIN entered too many times, TPM chip reset or malfunction, Windows Update (occasionally), battery removed on a laptop while BitLocker was processing, or the boot order changed in BIOS.

Check these locations in order: 1. Your Microsoft account at account.microsoft.com/devices/recoverykey (if the drive was encrypted while signed into a Microsoft account). 2. Azure AD admin portal for work devices (contact your IT admin). 3. Any USB drive you saved the key to during setup. 4. Any printed document from when BitLocker was enabled. 5. A text file saved to a network drive. If the key cannot be found in any of these locations, the encrypted data is permanently inaccessible – this is why backing up the recovery key during setup is critical.

No. Once you enter the recovery key successfully, Windows boots normally. The recovery mode was triggered by a specific event. If the cause was a one-time event (firmware update), it should not recur. If hardware has changed, Windows recalibrates and subsequent boots are normal. If the cause is a recurring issue (like TPM malfunction), it may appear again until the root cause is addressed.

You can suspend BitLocker before planned events that would trigger recovery mode (like a BIOS update). Run manage-bde -protectors -disable C: before the BIOS update and re-enable with manage-bde -protectors -enable C: after. This temporarily suspends encryption rather than disabling it. For persistent recovery mode issues, investigate the root cause rather than disabling BitLocker, as it removes an important security control.

CG
Cybergate IT Team
Managed IT support for Malaysian businesses since 2014. Microsoft Partner · Fortinet Technology Partner. About Us

Related Articles

Knowledge Base
How to Enable BitLocker Encryption on Windows 11


Knowledge Base
How to Set Up a New Windows 11 PC for Business

Table of Contents