Problem solve Get help with specific problems with your technologies, process and projects.

How to recover from lost BitLocker PINs and startup keys

Windows BitLocker Drive Encryption makes it possible to encrypt your system drive, but permanent data loss can occur if you forget the PIN or lose the startup key. This article explains some steps that you can take to regain your lost data.

Allowing end users to use BitLocker encryption at will is a risky proposition. I strongly recommend storing BitLocker...

recovery passwords in Active Directory to avoid data loss as a result of lost startup keys or forgotten PINs.

BitLocker, a security feature introduced by Windows Vista, makes it possible to encrypt a workstation's system drive. As great as this option is, a forgotten PIN or a lost startup key can render the volume permanently inaccessible. In this article, I will show you how to cope with such a situation.

When you initially use BitLocker to encrypt a volume, it requires you to either enter a PIN or create a startup key. A startup key is typically loaded onto a USB flash drive and can be inserted any time that you boot the machine. Hopefully, you have memorized your PIN or made backup copies of your startup key, but there's always the possibility that they will be lost. When this happens, you have to use an alternate mechanism for gaining access to the system.

The way to regain access to your system is to access the BitLocker Recovery Password. When you first enable BitLocker, you are asked where you want to save the recovery password. In fact, Vista gives you the option of saving the recovery password on a USB disk, saving the password in a folder or printing the password.

When you try to boot a BitLocker encrypted system without your startup key or you forget your PIN, you will see a screen similar to the one that's shown in Figure A. All you have to do to gain access to the system is enter the 48-digit recovery password. The process of entering the password is tedious to say the least, but it should get you into the system. Once you gain access, you can decrypt the volume, remove BitLocker and then set BitLocker back up from scratch so you can generate a new PIN or startup key.

Although this method for getting back into a protected system works, it has one fatal flaw: It puts the recovery password into the hands of the user who encrypted the volume. This is often the same user who forgot the PIN or misplaced the startup key. What are the odds, do you think, that the user has the recovery password in his possession and stores the recovery password in a responsible manner?

If you believe in Murphy's Law, then the odds are pretty high that the user won't have the recovery password. Fortunately, you can look up BitLocker recovery passwords through the Active Directory Users and Computers console. In order to do that, however, the domain must be configured to store BitLocker passwords and the encrypted workstation must be a domain member.

In order to store BitLocker passwords in Active Directory, all of your domain controllers must be running Windows Server 2003 with Service Pack 1 or higher. The procedure for configuring the Active Directory to store BitLocker passwords is much too long to include in this article, but you can find the procedure here.

If you ever need to retrieve a recovery password from Active Directory, you have to install the BitLocker Recovery Password Viewer. Unfortunately, Microsoft does not make this utility available for download. You can get the password viewer for free by calling Microsoft's support department. The phone number is (800) 936-5700.

Once you install BitLocker Recovery Password Viewer, you can view the recovery password directly through the Active Directory Users and Computers Console. All you have to do is right click on the computer object you want to retrieve the password for and choose the Properties command from the resulting shortcut menu. You will see the password displayed on the resulting properties sheet.

Allowing end users to use BitLocker encryption at will is a risky proposition. I strongly recommend storing BitLocker recovery passwords in Active Directory to avoid data loss as a result of lost startup keys or forgotten PINs.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Dig Deeper on Windows applications

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hi There,

I know the Bitlocker PIN for the PC i am using but i dont know the recovery key for that is there any possiblity that i can use my PIN to retrieve the password/recovery key and also that recovery key is not stored in my PC as well
i forget Bitlocker recovery key .can i get it through recovery key identification.
I don't know your exact set of circumstances, but there are several commands that you can use to alter BitLocker encrypted files. You might try removing the recovery key and creating a new one. Here are the commands:

1. Suspend BitLocker Protection :

manage-bde -protectors -disable %systemdrive%

2. Delete Recovery Password :

manage-bde -protectors -delete %systemdrive% -type RecoveryPassword

3. Add a new Recovery Password :

manage-bde -protectors -add %systemdrive% -RecoveryPassword

4. Backup the new Recovery Password :

manage-bde -protectors -adbackup %systemdrive% -ID KeyProtectorID

5. Enable BitLocker Protection :

manage-bde -protectors -enable %systemdrive%
I am able to type in the numerals, but not the text...

My system crashed somehow. When I turn it on, it runs the diagnostic analysis. When I try to go back to previous build, it asks for recovery keys for my drives. I have the recovery key for one drive but not for the second one. I remember the password for both drives. Can you help me in getting the recovery key of the second drive so that I can reset my system again?

Please respond.
i know password and recovery key but not access drive data because i reinstall window
I have forgotten my bit-locker password and do not have recovery key, is there any process to unlock the drive??? 
i used bitlocker to lock my external hard drive by creating a password. same time a recovery key wa is also generated in text file. i have both of them with me. but now when i want to unlock my disk, there is a pop up message that window is not compatible and try using with latest window. sir i have window 10 pro and with all latest updates, please advise