BitLocker Recovery: No UEFI/BIOS Password

TL;DR

If your BitLocker encrypted drive doesn’t have a UEFI/BIOS password set, you can usually unlock it using the recovery key. This guide explains how to find and use that key.

Finding Your Recovery Key

1. Check Your Microsoft Account: The most common place for your BitLocker recovery key is linked to your Microsoft account.
• Go to https://account.microsoft.com/recovery-services and sign in with the account you used when enabling BitLocker.
• Look for devices listed under ‘Find my keys’. Your recovery key should be there if it was backed up automatically.
2. Check Your Organisation’s Key Management System: If this is a work computer, your IT department likely stores the recovery keys centrally. Contact them first!
3. Check Printed Copies or USB Drives: When you enabled BitLocker, you were given the option to save the recovery key to a file (e.g., a text document) or print it out. Search your files and any labelled USB drives.
4. Windows Recovery Environment (WinRE): If you have access to WinRE, sometimes the key is stored there temporarily. This is less common if the drive isn’t booting.
   • Boot from a Windows installation media (USB or DVD).
   • Choose ‘Repair your computer’.
   • Go to Troubleshoot > Advanced options > Command Prompt.
   • Run the following command:

     manage-bde -status C:

     (Replace C: with the drive letter of your encrypted volume.) The output *might* show a partial recovery key ID, but it won’t display the full key. This is just to confirm BitLocker is active.

Using Your Recovery Key

1. At the Boot Screen: When your computer starts and detects a BitLocker encrypted drive without a UEFI/BIOS password, you should see a prompt asking for the recovery key.
• Enter the 48-digit recovery key exactly as it appears. Be careful to distinguish between numbers and letters (e.g., O vs. 0).
2. From WinRE Command Prompt: If you’re in WinRE, you can unlock the drive using the command line.
   • Boot from Windows installation media as described above.
   • Open the Command Prompt (Troubleshoot > Advanced options).
   • Run the following command:

     manage-bde -unlock C: -recoverykey {Your 48-digit recovery key}

     (Replace C: with your drive letter and {Your 48-digit recovery key} with the actual key.)

3. Mounting the Drive in Another PC (Advanced): You can attempt to mount the encrypted drive on another working Windows computer.
   • Connect the encrypted drive to a different PC.
   • Open Disk Management (search for ‘Disk Management’ in the Start menu).
   • Locate your encrypted drive. It will likely show as ‘Healthy (Unknown)’.
   • Right-click on the volume and select ‘Change Drive Letter and Paths…’.
   • Assign a drive letter to the volume. Windows should then prompt you for the recovery key.

Important Notes

• Key Accuracy: Double-check your recovery key before entering it. Multiple incorrect attempts may permanently lock the drive.
• Lost Key: If you’ve lost your recovery key and don’t have any backups, data recovery is extremely difficult (and often impossible). Prevention (backing up the key) is crucial!
• TPM Issues: While this guide focuses on drives *without* a UEFI/BIOS password, problems with the Trusted Platform Module (TPM) can sometimes mimic these symptoms. If you suspect a TPM issue, consult your computer’s documentation or a qualified technician.