BitLocker
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes.
The "Enter the recovery key" prompt during System Restore indicates that your drive is encrypted with BitLocker, and you need the BitLocker recovery key to proceed. Here’s what to do:
Locate the Recovery Key:
- Check your Microsoft account: Sign in at https://account.microsoft.com/devices/recoverykey to find the key.
- Look for a saved copy: The key might be on a USB drive, in a .txt file, printed, or stored with an administrator or organization if your device is managed.
Enter the Recovery Key:
- At the prompt, type the 48-digit recovery key exactly as provided, then press Enter.
If successful, System Restore should proceed, allowing you to select a restore point.
If You Don’t Have the Key:
Without the key, you cannot access System Restore or unlock the drive. You may need to reset your PC, which will erase all data. From the BitLocker recovery screen, press Esc, select "Skip this drive," then choose "Troubleshoot" > "Reset this PC" > "Remove everything."
Note: This will reinstall Windows, erasing all files and configurations.
Prevent Future Issues:
After resolving, consider disabling BitLocker auto-unlock in Control Panel > BitLocker Drive Encryption > "Turn off auto-unlock" for the C: drive, then reboot.
Alternatively, update BIOS or disable Secure Boot in UEFI settings if the issue persists.
If the key is unavailable and you avoid resetting, there’s no way to bypass BitLocker encryption. Ensure you back up the recovery key in the future.
check for bitlocker
To check BitLocker status for all drives in Windows
manage-bde -status
BitLocker cannot be uninstalled as it’s built into Windows 11, however, it does not have to be used. It is possible to disable the service.
Disable BitLocker service
sc config bdesvc start= disabled
Prevent auto-encryption:
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v PreventDeviceEncryption /t REG_DWORD /d 1 /f
Monitor:
manage-bde -status C:
Save recovery key
manage-bde -protectors C: -get
BitLocker can use the Trusted Platform Module (TPM) in UEFI/BIOS for storing encryption keys, enabling automatic unlocking if TPM is configured; check UEFI/BIOS settings for TPM status or Secure Boot, which may be required.
find recovery key
To find your BitLocker recovery key in Windows 11 Home using the Command Line Interface (CLI):Open Command Prompt as Administrator: Press Win + R, type cmd, press Ctrl + Shift + Enter, click Yes on UAC prompt.
manage-bde -protectors C: -get
(replace C: with your encrypted drive letter).
Note the 48-digit Numerical Password displayed—this is your recovery key.
Optionally, save to a file: manage-bde -protectors C: -get >> D:\RecoveryKey.txt (replace D: with your desired drive).
If not found, check your Microsoft account at https://account.microsoft.com/devices/recoverykey from another device.
disable and remove
You can disable or remove BitLocker encryption in Windows 11.
- Open Command Prompt as Administrator: Press Win + R, type cmd, press Ctrl + Shift + Enter, click Yes on UAC prompt.
- Disable BitLocker: Run manage-bde -off C: (replace C: with your encrypted drive letter).
- Monitor decryption: Run manage-bde -status C: to check progress (decryption may take time).
- Verify: Once complete, manage-bde -status C: will show “Protection Status: Protection Off” and “Encryption Percentage: 0%”.
manage-bde -off C: manage-bde -status C:
Alternatively, to suspend BitLocker temporarily without decrypting:
manage-bde -protectors -disable C:
Note: Save your recovery key (from manage-bde -protectors C: -get) before proceeding in case of issues. If the drive is managed by an organization, contact the admin first.
If you get:
ERROR: This volume stores external key(s) that can automatically unlock other volumes. Before you can decrypt this volume, you must remove such keys.
Identify auto-unlock keys: Run manage-bde -protectors
C: -get to list protectors
note any “External Key” entries tied to other volumes.
- Clear auto-unlock keys: Run manage-bde -autounlock -ClearAllKeys C: (replace C: with your system drive).
- Retry decryption: Run manage-bde -off C:
- Check progress: Run manage-bde -status C: until “Encryption Percentage: 0%”.
manage-bde -autounlock -ClearAllKeys C: manage-bde -off C: manage-bde -status C: