![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 52%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 23%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
Option 1: make sure you are using the correct BitLocker recovery key.
Each BitLocker‑encrypted drive has its own Recovery Key ID. If the Key ID shown on the recovery screen does not match the key you are entering, Windows will reject it every time.
On another device:
- Go to https://account.microsoft.com/devices/recoverykey
- Sign in with the Microsoft account used on the Surface
- Locate the recovery key whose Key ID exactly matches the one shown on the Surface screen
If the Key ID does not match, that recovery key will never work.
Option 2: If the Key ID matches but the recovery key is still rejected, try unlocking via Command Prompt (this often works when the UI does not).
On the BitLocker recovery screen:
- Select Advanced options
- Go to Troubleshoot → Advanced options → Command Prompt
At the command prompt, run:
manage-bde -status
Confirm the OS drive letter (usually C:), then run:
manage-bde -unlock C: -rp YOUR-48-DIGIT-RECOVERY-KEY
If the drive unlocks successfully, immediately run:
manage-bde -protectors -disable C:
Then restart the device.