In this post we will see how to enable and recover BitLocker recovery key on Windows device. Once we enable Bitlocker, recovery key generated can be saved on Microsoft account. Though we have other options also available to save the recovery key such as printing it, creating pdf file, saving it into a txt file which can be used at later stage. However, using Microsoft account gives the flexibility of storing all your recovery password in a centralised place for all the devices you have.

Enable and recover BitLocker recovery key

BitLocker Drive Encryption is a kind of product for your devices which encrypts the device at hardware layer. This is applicable for Windows 10, Windows 11 and Windows Server 2016 and above.

BitLocker requires Trusted Platform Module (TPM) version 1.2 or later (though not compulsory) which is a hardware component and nowadays all computer manufacturers provides it. BitLocker can be used without TPM as well which requires a specific settings to be implemented if you wanted to use. However using TPM with Secure Boot Enabled setting in BIOS gives the most efficient way of encrypting and saving the information in TPM Module.

Encrypt Drive – Save recovery key to Microsoft Account

Let’s login to a device. I have a workstation where I have logged in with Microsoft Account. I have 2 disk’s C drive and D drive. C with Operating System and D with Data.

Right click c drive and select Turn on BitLocker.

Turn on BitLocker

BitLocker Drive Encryption page will open which will ask you to back up your recovery key. We have 3 options:

Save to your Microsoft Account
Save to a file
Print the recovery key

recovery key Save to your Microsoft account

All 3 options can be used to save the information, but to save it on Microsoft account, lets go with 1st option.

This will initiate the encryption process of your drive while Saving Recovery Key to your Microsoft account.

Saving Recovery Key to your Microsoft account

Once done, it will return to the same option with all 3 options present, click Next.

On Choose how much of your drive to encrypt page, select Encrypt used disk space only as it is much faster. You can select encrypting entire drive as well which could take more time depending upon disk size and data. Click Next.

Encrypt used disk space only

On Choose which encryption mode to use, select New encryption mode which provides the latest encryption technology ie. XTS-AES which requires Windows 10 and above device. For older device Compatible mode can also be selected.

New encryption mode

On Ready to encrypt this drive page, click on Start encrypting.

Run BitLocker system check

Allow some to encrypt the disk. You may close the window, and it will continue in background.

Encrypting

Monitor the progress

You can monitor the progress through GUI displayed. But if you have closed the window. This can be checked through BitLocker Utility manage-bde. Run following in command prompt with administrative rights:

Manage-bde -status c:
manage-bde -status c:

Once the encryption process is completed, run the command again and now we see the status:

manage-bde -status c:

Conversion Status:  Used Space Only Encrypted
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked

Encrypt Data Drive

Same way we can encrypt D drive, this time we will get one different option ie. Automatically unlock this drive on this computer.

Automatically unlock this drive on this computer

As this is Data drive (not containing system files / OS files), we have option to automatically unlock or if not selected, every time we have to provide recovery password to unlock it.

On How do you want to back up your recovery key page, we have 1 more option available ie. Save to a USB flash drive as this is a data drive not containing system files.

Save to a USB flash drive

Once Save to your Microsoft account is selected, the recovery key will be saved again on Microsoft account.

For Data drive you can’t use Save to a file option with local drive selected as all drives are encrypted. You must need to save it on USB flash drive or else you will get error message This location can’t be used, Your recovery key can’t be saved to an encrypted drive. Choose a different location.

Your recovery key can't be saved to an encrypted drive

How to find BitLocker Recovery key on Microsoft Account

You can verify Recovery Password details on Microsoft Account

Login to Microsoft Account which will display list of all devices you have.

Click on Info & Devices.

Info & support

Under Bitlocker data protection click Manage recovery keys and then click on Show other available keys to get list of all recovery keys you have.

Manage recovery keys

We can see recovery key information of all devices we have. For the device which I encrypted, I can see there are 2 rows containing Key ID and 48 digit Recovery Key which is also called Recovery Password.

Recovery key

Drive with OSV is the Primary Drive containing OS, while FDV is the secondary drive.

Recovery key is the information someone needs unlock the drive to access it.

Recover the drive using Recovery Password

Let’s assume disk is stolen or some hardware changes have been made. In both scenarios, if we switch on the system, it won’t directly boot into full OS but rather show you the message BitLocker recovery prompt with message Enter the recovery key for this drive.

Enter the recovery key for this drive

Let’s have a close look into Recovery Key ID, initial 8 digits is all we want to find on Microsoft page > BitLocker recovery keys

For Key ID 634666FA, corresponding Recovery Key  is 319957-668822-461725-613492-393316-131912-136686-211288. Provide this info to unlock the drive and boot the system.

Enter the recovery key for this drive

BitLocker Drive Encryption Tools

Manage-bde.exe is the inbuilt command-line tool BitLocker Drive Encryption. There are BitLocker cmdlets for WindowsPowerShell as well. This comes very handy to perform few tasks.

manage-bde generate recovery key

Run the following command to see your recovery key / recovery password. The 2nd command is to save this into a text file

manage-bde -protectors c: -get
manage-bde -protectors c: -get >> recoverykey.txt
manage-bde -protectors c: -get

To generate new recovery key, add the protector command

manage-bde -protectors -add d: -RecoveryPassword

How to add TPM PIN at startup

If you want to secure your device with PIN to be entered while booting it. You need to have Local Policy or Group Policy set for this.

Open gpedit.msc to open Local Group Policy Editor, and navigate to Policy Path : Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

Enable the following settings:

Require additional authentication at startup

Require additional authentication at startup, with Configure TPM startup PIN set to Allow startup PIN with TPM
You may also use (optional) – Allow enhanced PINs for startup which allows you to enter letters, symbols, numbers and spaces.
Configure minimum PIN length for startup : enabled and provide minimum characters to use.

Allow enhanced PINs for startup

If above mentioned policy is not set to, you will get error.

Error: An error occurred (code 0x80310060): Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.

Run the following command with parameter -TPMANDPIN

manage-bde -protectors -add c: -tpmandpin
manage-bde -protectors -add c: -tpmandpin
EnableBitLockerMS 21

To suspend and resume the BitLocker temporarily (this process doesn’t decrypt the drive but suspends it during 1 restart only, BitLocker protection will resume after 1st restart automatically)

Suspend-bitlocker command: Manage-bde -protectors -disable c:
Resume-bitlocker command : Manage-bde -protectors -enable c:
Suspend command for infinite restart: manage-bde -protectors -disable c: -rc 0
When -rc 0 is used which means rebootcount specifying to 0, BitLocker protection won’t resume even after multiple restarts.

Commands to autounlock the drive

When the additional drive has autounlock disabled it will show locked signed and when we double click,  it will prompt to enter 48-digit recovery key to unlock this drive. And every time we have to specify the recovery password. This can be managed using the commands.

Enter the 48-digit recovery key to unlock this drive

Command line utility:

unlock-bitlocker command : manage-bde -autounlock -enable d:
disable unlock-bitlocker command: manage-bde -autounlock -disable d:

Equivalent PowerShell cmdlets for autounlock the drive:

Enable-BitLockerAutoUnlock -MountPoint d:
Disable-BitLockerAutoUnlock -MountPoint d:

These commands performs the same functionality equivalent to right clicking a drive and selecting Manage BitLocker and then selecting Turn on auto-unlock

Turn on auto-unlock