Being met by BitLocker’s blue recovery screen asking for a 48-digit key you don’t remember creating is genuinely alarming — but in the vast majority of cases, that key isn’t lost. It was saved somewhere when BitLocker was switched on, and finding it is usually just a matter of knowing where to look. Here are the places it lives.
The 48-digit key was recorded when BitLocker was enabled — usually in your Microsoft account or your organisation’s records. In most ‘lost key’ cases, it’s simply somewhere you can reach.
First, some reassurance about why the screen appeared. A BitLocker recovery prompt usually follows a change the drive’s protection didn’t expect — a firmware or BIOS update, a hardware change, a new boot setting, or a forgotten PIN. BitLocker’s security tied the key to your machine’s startup state, and when that changed, it fell back to asking for the recovery key as a safeguard. It doesn’t mean anything is broken.
What it does mean is that you now need the 48-digit key — so let’s find it. The good news is that it was almost certainly recorded when BitLocker was first enabled.
There are a handful of places BitLocker saves the recovery key, depending on the machine. Work through them:
For personal PCs, this is the most likely spot. Sign in at account.microsoft.com/devices/recoverykey on another device — modern Windows often auto-saves the key here.
For a company or school device, IT holds it — retrieved from Azure AD / Entra ID or Active Directory, matched to your specific machine. Ask them.
When BitLocker was enabled, you may have printed the key or saved it to a text file. Check documents, drawers, and any ‘BitLocker Recovery Key’ .txt file.
BitLocker offers to save the key to a USB stick during setup. Check any USB drives you may have used at the time.
For most home users, the Microsoft account is the answer. Recent versions of Windows enable “device encryption” automatically on many PCs and quietly back the recovery key up to the Microsoft account you signed in with — which is why people who never knowingly set up BitLocker still find a key waiting there. On another phone or computer, go to account.microsoft.com/devices/recoverykey and sign in with the same account.
If you have more than one Microsoft account, try each — the key is tied to whichever account was signed in when encryption was enabled.
You may find more than one key listed — if you have several encrypted drives or devices, each has its own. The BitLocker recovery screen shows a Key ID (a short string, the first part of a longer identifier), and each saved key is listed with a matching ID. Match the ID on your screen to the ID in your records to pick the correct 48-digit key.
Enter that key at the recovery prompt and the drive unlocks. It’s worth double-checking the ID rather than guessing, especially if you manage multiple machines.
Be honest with yourself here, because it matters. If the key isn’t in any Microsoft account, your IT department has no record, and there’s no printout or file anywhere — and the drive won’t release the key itself — then the data may be unrecoverable. BitLocker’s encryption can’t be broken without the key, and no legitimate service can “crack” it. Anyone claiming they can should be treated with real caution.
Before concluding that, though, exhaust every avenue — every Microsoft account, every old USB stick, IT, and any documents from when the machine was set up. In the great majority of cases, the key really is recorded somewhere.
One more scenario: the drive is BitLocker-locked and has physically failed or won’t boot. If you have the recovery key, this is still recoverable — a lab can image the failing drive first, then decrypt the copy with your key and extract the data, all without stressing the original. The key is the essential ingredient; with it, even a failed encrypted drive can be recovered.
What no one can do is recover a failed and locked drive with no key — so if the key exists, keep it safe, because it’s what makes the difference.
What people ask us most about BitLocker recovery keys.
The most likely place, for a personal PC, is your Microsoft account — sign in at account.microsoft.com/devices/recoverykey on another device. For a work or school machine, IT can retrieve it from Azure AD or Active Directory. It may also have been printed, saved to a text file, or stored on a USB stick when BitLocker was enabled. In most cases, it’s recorded somewhere you can reach.
Because recent versions of Windows enable device encryption automatically on many PCs and quietly save the recovery key to the Microsoft account you signed in with. That’s why people who never knowingly turned on BitLocker still find a key waiting in their Microsoft account. Check account.microsoft.com/devices/recoverykey with the account you use on that PC.
Exhaust every option first — every Microsoft account, your IT department, any printouts, files or USB sticks from setup. If the key genuinely isn’t recorded anywhere and the drive won’t release it, the data may be unrecoverable, because BitLocker can’t be broken without the key and no legitimate service can crack it. But in most cases the key is saved somewhere, so it’s worth a thorough search.
If you’ve found your recovery key and the drive has also failed, we can image it and decrypt the copy to recover your data. We recover with your key — we never crack encryption. Post it in from anywhere in the UK, or drop it to us in Belfast.