Guide · BitLocker lockout
BitLocker recovery key not found: where your key actually is
Your recovery key almost certainly exists. Windows does not turn BitLocker on without saving that key somewhere, the trick is knowing everywhere it might be stashed. Work this list from your phone before you panic, and definitely before you let anyone wipe the machine.
Last updated 2 July 2026 · by Alien IT Solutions
First, the short version
The blue recovery screen means the drive is locked, not lost. Your files are sitting there encrypted and intact, waiting for a 48-digit key that was saved somewhere when the drive was first encrypted. Most people find it in under ten minutes once they know where to look.
So do not reformat, do not let a shop talk you into a rebuild yet, and stop guessing passwords, the recovery key is not a password. Grab your phone and work through the locations below, most likely first.
Why it is suddenly demanding a key
BitLocker ties the drive to a security chip in your machine, the TPM. When the machine looks different to that chip at startup, it refuses to unlock and asks for the recovery key instead. That is the feature working, not breaking. The usual triggers:
BIOS or firmware updates
The most common one. The manufacturer pushes a firmware update, the machine restarts, and to the TPM it now looks like different hardware. Up comes the blue screen.
Windows updates
Some updates touch the boot chain. The measurements the TPM checks at startup no longer match, so it plays it safe and demands the key.
Motherboard or TPM repairs
A board swap or TPM replacement means the drive is now paired to a chip it has never met. Normal after a repair, and exactly when you need the key.
Boot and hardware changes
A new dock, a changed boot order, an added drive, even some USB gear plugged in at startup. Anything that changes how the machine starts can trip it.
Where the key actually lives, in order of likelihood
Check these in order, from any device that works. You are hunting a 48-digit number.
1. Your Microsoft account
Go to account.microsoft.com/devices/recoverykey and sign in with the same Microsoft account you use to log in to that machine. On most home and small business machines Windows saved the key here automatically, and this is where the hunt usually ends. Two things people miss: check every Microsoft account you own, not just the obvious one, and check the account of whoever originally set the machine up, because the key lands in whichever account was signed in when BitLocker went on.
2. Your work or school account
If an employer or a school set the laptop up, the key is almost certainly held in their system, Microsoft calls it Entra ID (previously Azure AD). Ask IT. It is a one-minute lookup, and holding your key is exactly what that system is for.
3. A printout or a USB stick from setup
When someone turns BitLocker on manually, Windows makes them save the key as a printout, a file or a USB stick. Check wherever the paperwork from the machine's purchase lives, and any old USB sticks in that drawer. You are looking for a small text file named BitLocker Recovery Key followed by a long ID.
4. Your OneDrive
Sign in to OneDrive in a browser and search for BitLocker. Keys sometimes sit in a saved recovery file there rather than showing on the devices page. While you are at it, search your email for BitLocker too, plenty of people have mailed the key to themselves and forgotten.
5. The company's management system
A business machine on a company network usually has its key held centrally, in Active Directory, Entra ID or whatever device management tool the IT provider runs. One call to whoever looks after the fleet.
What you are looking for
A BitLocker recovery key is 48 digits in eight groups of six, numbers only: 123456-123456-123456 and so on. It is not your password, not your PIN, and there are no letters in it. The recovery screen also shows a recovery key ID, a short code identifying which key the machine wants. If you find more than one saved key, match the ID on the screen to the ID stored next to each key. If the IDs do not match, it is the wrong key.
If the key is genuinely gone
Straight answer: without the key, the data on that drive is unreachable. Not hidden, not tricky, cryptographically unreachable. That is the entire point of BitLocker. If a stolen laptop could be cracked open at a repair bench, the encryption would be worthless. There is no back door, and nobody is brute-forcing modern AES encryption, not a repair shop, not a data recovery lab, not anyone.
Be very wary of anyone who says they can crack BitLocker for a fee. They cannot. They will either reinstall Windows and hand you back an empty machine, or take your money and stall. It is snake oil.
What a reinstall does get you is the machine. Wipe the drive, reinstall Windows, and the hardware is back in service today. Your files come back only if a copy exists somewhere else, a backup drive, OneDrive, email attachments, a work server. Before you accept that, check every location above one more time. In eighteen years of doing this we have found the key far more often than not, usually in a Microsoft account the owner forgot existed.
Do this today, while your machine still boots
Reading this before a lockout? Five minutes now makes the whole problem disappear.
Confirm your key exists
From any browser, sign in at account.microsoft.com/devices/recoverykey and check a key is listed for your machine. Listed means covered, firmware updates, board swaps, the lot.
Save a second copy
On the machine, search Manage BitLocker in the Start menu and choose Back up your recovery key. Print it and file it with the passports. Paper does not get hacked, and does not get lost in a dead account.
Running a business? Escrow it
More than a couple of machines means keys belong in a management system that captures them automatically, not in a drawer. Then a lockout is a two-minute lookup, not a lost day.
One locked laptop is a warning shot
If a single BitLocker prompt cost you this morning, picture a firmware update rolling out to every machine in the office overnight. Fleets need key escrow: every drive's recovery key captured automatically the moment it is encrypted, readable by IT the moment it is needed. Sticky notes and spreadsheets do not survive contact with a real lockout. Same Day IT is the emergency arm of Alien IT Solutions, 18 years in Sydney business IT. We get you back in today where the key exists, we are straight with you where it does not, and then we set up escrow and real backups so it never bites again.
Questions people ask
Why is my laptop suddenly asking for a BitLocker recovery key?
Because the machine looks different to the security chip (the TPM) that normally unlocks the drive. BIOS and firmware updates, some Windows updates, a replaced motherboard, or a change to boot hardware can all trigger it. It is a security feature doing its job, not a fault, and your data is still intact behind it.
Where is my BitLocker recovery key?
Check in this order: your Microsoft account at account.microsoft.com/devices/recoverykey, your work or school account (ask IT), a printout or USB stick from when the machine was set up, your OneDrive, and for business machines the company's management system. On most home machines it is in the Microsoft account.
What does a BitLocker recovery key look like?
48 digits in eight groups of six, numbers only, like 123456-123456 and so on. It is not your password or PIN. The recovery screen also shows a key ID. If you have several saved keys, match the ID on the screen to the ID next to the saved key, otherwise the key will not work.
Can a repair shop unlock BitLocker without the recovery key?
No. BitLocker is full disk encryption with no back door, and without the key the data is mathematically out of reach. Anyone who claims they can crack it for a fee is selling snake oil. A shop can reinstall Windows and give you back a working machine, but that wipes the drive.
Will reinstalling Windows get my files back?
No. A reinstall wipes the encrypted drive and gives you back a working computer, not the data. Your files only come back if a copy exists somewhere else, like a backup drive, OneDrive, email, or a work server. That is why it is worth exhausting every key location first.
How do I stop this happening again?
Find your key today, while the machine still boots. Confirm it is listed in your Microsoft account, then keep a second copy: search Manage BitLocker in the Start menu and use Back up your recovery key. Businesses should escrow every machine's key automatically in their management system, not on sticky notes.
Locked out and the day is stopping?
Get a real technician working through every key location with you, remotely, in minutes. If the key exists we will find it. If it does not, we will tell you straight and get the machine back in service.