Bitlocker key

Question

I have a company laptop which has "system boot security violation" all of a sudden. To pass this I need the Bitlocker Key which no one has it in my institution, IT department didn't activated Bitlocker, but it seems it is active and no key anywhere. How is this possible? Does anyone has a solution how to get the Bitlocker key?

Answer 1

Hi Mihaela-Dorica Stroia,

Thank you for reaching out regarding the unexpected BitLocker prompt on your company laptop. BitLocker can sometimes be automatically enabled through hardware or firmware changes, or by default security policies, even if the IT department did not explicitly activate it. Once enabled, the recovery key is required to unlock the drive. The recovery key is typically stored in one of the following locations: - In the Azure Active Directory account if the device is joined to Azure AD. - In the Active Directory account if the device is domain-joined. - In the Microsoft account associated with the device. - On a printed copy or USB drive if saved manually during initial setup. If none of these locations contain the recovery key, the encrypted drive cannot be unlocked. This behavior is by design to protect data security. The recommended next step is to verify whether the device is joined to Azure AD or Active Directory, and check the associated accounts for the recovery key.

If this answer clarifies the situation, please click Accept the answer to confirm.

Best regards,

QQ.

Answer 2

BitLocker can be enabled and the recovery key backed up automatically without IT explicitly turning it on, depending on how the device was set up and managed.

Key points for this scenario:

1. How BitLocker might be enabled without IT “activating” it
   • On many modern Windows 10/11 devices, BitLocker (or device encryption) is automatically enabled when a user signs in with a Microsoft, work, or school account, or when the device is enrolled in management (for example, Intune/Entra ID join).
   • For work/school devices, the recovery key is typically backed up to the organization’s directory or device management system even if IT did not manually configure BitLocker on that specific machine.
2. Where to look for the BitLocker recovery key Follow the official recovery paths in order: a. Work or school account (Entra ID / Azure AD)
   • If the device was ever signed in with a work or school account or joined to Entra ID, the key may be stored there.
   • From another device:
     1. Go to https://aka.ms/aadrecoverykey.
     2. Sign in with the work or school account used on the laptop.
     3. Go to Devices and expand the affected device.
     4. Select View BitLocker Keys.
     5. Match the Recovery Key ID shown on the blue BitLocker screen with the entry in the portal and use that 48‑digit key to unlock the drive.
   b. Intune Company Portal (if the device is Intune‑enrolled)
   • If the organization uses Intune and the device is enrolled:
     1. On any device, sign in to the Company Portal website with the work/school account.
     2. Go to Devices.
     3. Select the locked PC.
     4. Select Get recovery key → Show recovery key.
     5. Use the displayed 48‑digit key on the BitLocker recovery screen.
   • If no key appears but the device is known to be encrypted and enrolled, IT must verify device enrollment and permissions or retrieve the key from their admin tools.
   c. Microsoft account (if it was ever used on the device)
   • If a personal Microsoft account was used and BitLocker/device encryption was enabled under that account, the key may be backed up there:
     1. From another device, go to https://aka.ms/myrecoverykey.
     2. Sign in with the Microsoft account that might have been used on the laptop.
     3. Match the Recovery Key ID from the BitLocker screen and use the corresponding key.
   d. Other locations
   • Printed copy of the recovery key (check any onboarding paperwork or IT handover documents).
   • USB flash drive containing a .txt file with the recovery key (if someone saved it there when BitLocker was first enabled).
3. If no one can find the key
   • Microsoft Support and product teams cannot retrieve, regenerate, or bypass a missing BitLocker recovery key. This is by design.
   • If the key cannot be found in any of the locations above and the changes that triggered recovery cannot be undone, the only remaining option is to reset or clean‑install Windows on the device. This will remove all data on the encrypted drive.
   • For a clean install from USB, boot from the USB in BIOS/UEFI and perform a custom install, deleting all partitions on the internal drive before installing. In that case, BitLocker will not prompt for a key because the encrypted partitions are being removed.
4. Action plan for the institution’s IT
   • Confirm whether the device is:
     • Entra ID joined or Hybrid joined.
     • Intune‑enrolled.
   • Check for the key in:
     • Entra ID device blade (via https://aka.ms/aadrecoverykey for end users, or admin portals for IT).
     • Intune Company Portal / admin center.
   • If no key exists in any corporate or personal account and no print/USB copy is available, plan for a full wipe/reimage and communicate that data on the drive cannot be recovered.

---

References:

• Find your BitLocker recovery key
• Back Up Your BitLocker Recovery Key
• Get recovery key for Windows
• Windows devices for home users, businesses, and schools with Microsoft-managed updates
• Request for Assistance with BitLocker Recovery – Surface Pro 2 - Microsoft Q&A
• Unable to recover Bitlocker key and unable to reload Windows 11 - Microsoft Q&A
• Bitlocker recovery key not working - Microsoft Q&A
• Surface Pro 3 blocked - Microsoft Q&A

AI-generated content may be incorrect. Read our transparency notes for more information.