Understanding BitLocker (and how to deal with it before BIOS updates)

Read this first

Before you install a BIOS update or any other firmware update, please take a moment to check whether BitLocker is active on your system.

BitLocker is Windows drive encryption. After certain firmware-related changes, Windows may ask for the BitLocker recovery key on the next boot. If that happens and you do not have the correct key, you will not be able to continue booting or access your data.

The recovery key is a long 48-digit number, separated by dashes. It is not the same as your normal Windows password, PIN, or Microsoft account password.

Example recovery key:

123456-789012-345678-901234-567890-123456-789012-345678

Do not start a BIOS or firmware update unless one of the following is true:

• You already have your BitLocker recovery key and can access it from another device.
• BitLocker protection has been suspended or disabled before running the update.

In the following chapters, we will explain how to check your BitLocker status, how to find your recovery key, and what to do before updating your BIOS.

How to handle BitLocker before installing a BIOS update

Introduction

If you do not have your BitLocker recovery key, or you are not sure where it is, do not proceed with a BIOS update without preparation. You must suspend or disable BitLocker first. Suspending and disabling is not the same thing – the difference is explained in this chapter.

If you already have the recovery key, and you will be able to access it even if your system does not boot (either printed or available on another device), then you can proceed without suspending or disabling BitLocker.

If the laptop belongs to a company, school, or university (if you are using the work or school account to login into Windows), please ask your IT department for support. The recovery key may be managed by the organization, and suspending BitLocker may not be possible without IT admin access, or it may conflict with company policy.

Where can I find my BitLocker recovery key?

If the recovery screen appears after a BIOS update, note the first 8 digits of the Key ID. That helps you pick the correct key if you have more than one saved.

Please open this page and sign in with your Microsoft account:

• https://account.microsoft.com/devices/recoverykey

If you are logged in with a company or school account, use this link instead:

• https://aka.ms/aadrecoverykey

After you sign in, you will see a page that looks like this:

The table in the screenshot shows 3 essential columns:

• Device name: this is a name that is randomly assigned during Windows setup. It can also be custom-assigned by your IT department, or by yourself.
• Key ID: if your system asks you for your BitLocker recovery key, it will show you this key ID to help you identify which recovery key you need
• Recovery key: this is the actual key that you will need to enter. It is essential that you have access to this key, and it is recommended to create a backup.

Side notes:

• Since Windows 11 version 24H2, the recovery screen also shows a hint for the associated Microsoft account.
• When enabling BitLocker manually, Windows also offers to store the recovery key in a text file that can be printed or stored on a USB flash drive. This backup can also be done at any time (provided the system is bootable) – see this chapter.

Where can I find my device name?

You can find your Windows device name by searching for "About your PC" in Windows Start menu.

This device name can be changed by yourself to make it more recognizable. If you are logged into your Microsoft account, changing your device name in Windows will also update the listing in your online BitLocker recovery key table.

What if my device is administered by my organisation?

If the device (rather the Windows installation on the device) was ever connected to a work or school account, the key may be visible in that account's device section. Depending on user configuration, the organisation's IT department may need to retrieve it from there. You can use this copy/paste message to contact your IT department:

Information on how to find your Device name is listed in the chapter above.

Users with local/offline accounts need to be especially careful!

Users with local/offline accounts may still have BitLocker enabled, even if they are not aware of it. This is explained in more detail in a paragraph further down.

Unlike users with Microsoft account, offline account users will not have the luxury of having an online backup of their recovery key. You will have to extract and store the BitLocker key yourself – or disable/suspend BitLocker before the BIOS update.

That means local-account users should be extra careful before any BIOS or TPM update. If you do not have a manual backup of your recovery key (printout or .txt file on a separate drive), please check manually if BitLocker is enabled and suspend or disable it before updating.

How can I create a manual backup of my BitLocker recovery key?

It depends on your Windows version.

• Windows 11 Home does not offer the "Manage BitLocker" interface and thus does not offer any GUI for manual key backup. If you are logged into Windows with a Microsoft account, keys backups are located in your Microsoft account, as explained in this chapter.
• If you are only logged into a local/offline account, Windows 11 Home does not offer any convenient key backup method.

In both scenarios, you can still use Microsoft's official command-line interface to create a manual backup of your recovery key. Please see this chapter for details. Alternatively, see this chapter for our BitLocker Tool, which is built on top of Microsoft's command-line interface.

If you are on Windows 11 Pro, Enterprise or Education, please follow these steps:

• Open Start menu
• Type BitLocker
• Find "Manage BitLocker"

Alternative path:

• Windows Settings > Privacy & security > Device encryption > BitLocker drive encryption

Once you are there, click on "Back up your recovery key" for the system drive.

Make sure to store the key in a safe location.

• Either printed and stored in a safe place.
• Or saved to a file that is then placed in a safe place (i.e. not on the same device).

The option "Save to your Microsoft account" only works if your Windows is logged into that Microsoft account – the option is not available for users with local or offline accounts.

For more information, please refer to Microsoft's support page:

• Back Up Your BitLocker Recovery Key [microsoft.com]

What is the difference between disabling and suspending BitLocker?

Suspending BitLocker is only a temporary action. The drive stays encrypted, but BitLocker stores a clear key in a non-encrypted segment on the drive volume itself (not inside the TPM). Windows can therefore boot even if the firmware status has changed following a BIOS update. It is therefore recommended that you suspend BitLocker before carrying out any BIOS or TPM updates.

Disabling or turning off BitLocker is different – it will lead to full disk decryption. Depending on the size, speed and utilization of your disk, decrypting the disk will take a certain amount of time. You can check whether the process is still running or has already been completed via "Manage BitLocker" in the Control Panel (or via "manage-bde" in the Command Prompt).

If the system is restarted, shut down, or loses power before completing the decryption, it's no problem. The decryption will resume where it stopped the next time Windows starts.

If your goal is only to avoid a recovery prompt after a BIOS update, suspend is the better option. Turn off BitLocker only when you deliberately want the drive fully decrypted permanently.

How to suspend (or disable) BitLocker

As in this chapter, it depends on your Windows version: Windows 11 Home does not offer a GUI method to suspend BitLocker. You can either disable Device encryption completely (this will trigger to decrypt the drive), or use the command-line interface (or our tool) to perform the "suspend" action manually. Please note that suspend and disable are not identical - see the chapter above for details.

To disable Device encryption in Windows 11 Home, follow these steps:

• Search for "Device encryption" in Windows Start menu.
• Alternatively, open Windows Settings > Privacy & security > Device encryption
• If Device encryption is "On", set it to "Off".

If you are on Windows 11 Pro, Enterprise or Education, please follow these steps:

• Open Start menu
• Type BitLocker
• Find "Manage BitLocker"

Alternative path:

• Windows Settings > Privacy & security > Device encryption > BitLocker drive encryption

Once you are there, click on "Suspend protection" and confirm.

After this is done, you can reboot and follow the steps to update your BIOS as outlined in our documentation. To get started, please refer to this article:

• How can I update the EC/BIOS firmware of my laptop?

After your BIOS update is complete and you have successfully booted back to Windows, go back to the same place as indicated above and choose "Resume protection".

If I suspend BitLocker, how long should I wait before starting the BIOS update?

Suspending BitLocker is immediate. It does not decrypt the SSD. The drive remains encrypted, but Windows places a clear key on the volume and stops enforcing the normal startup integrity checks so that firmware changes do not trigger recovery.

Once Windows shows that protection is suspended, you can proceed with the BIOS update - there is no need to wait for a long background process to finish.

What if there is no option to suspend BitLocker?

On some systems, depending on the Windows edition, device configuration, the BitLocker management interface does not offer a "Suspend protection" option. Instead, you may only see the option to "Turn off BitLocker."

In this case, you will either need to access and backup your BitLocker recovery key or simply turn off BitLocker before proceeding with the BIOS update.

Turning off BitLocker starts a full decryption of the drive. While Windows technically allows you to reboot or shut down during decryption - and the process will resume afterward - it is recommended to wait until decryption is fully completed before performing the BIOS update.

Once decryption is finished, the status will change from something "Decrypting" to "BitLocker is off". Only then should you proceed with the BIOS update.

Side notes:

• The Windows user interface allows the suspension of BitLocker only for the Windows system drive (the system partition, i.e. drive letter C:\). Suspending encryption on secondary drives or removable media is not supported in the GUI. However, suspension via the command line is possible for all drives.
• Likewise, if the BitLocker management interface does not offer suspension for the system partition, it is still available using command-line interfaces (see this chapter and the following ones).

What is the difference between Windows 11 Home and Pro (regarding BitLocker)?

Windows 11 Home and Windows 11 Pro use the same underlying encryption technology, but they offer different user interfaces and levels of control. On Windows 11 Home, encryption is exposed as "Device encryption" in Settings.

Windows 11 Home only offers a simple "On" and "Off" switch for Device encryption.

On Windows 11 Pro, Enterprise, and Education, users have access to the "Manage BitLocker" control panel. This interface allows manual backup of recovery keys, suspension of protection before firmware updates, and access to other advanced options.

I'm using an offline account – not a Microsoft account. What do I need to know?

For users who deliberately choose to not sign into Windows using a Microsoft account, the Windows 11 Home user interface does not provide any way to create or save a BitLocker recovery key.

As seen in the screenshot above, Windows writes "Sign in with your Microsoft account to finish encrypting this device" - but this is misleading. Encryption has already taken place; Windows just hasn't given you the recovery key "yet"!

Users with a Microsoft account can find their BitLocker key within that account – this service is not available to users with an offline account.

In Windows 11 Home, the link to "BitLocker Drive Encryption" (Manage BitLocker) simply leads to the Microsoft Store, where an upgrade to Windows 11 Pro is offered.

In Windows 11 Pro and higher versions, you can manually back up the recovery key via the ‘Manage BitLocker’ interface. Windows 11 Home does not offer this option.

Recommendations for users with an offline account and Windows 11 Home:

• Backup your recovery key with the command-line tool "manage-bde" (see this chapter).
• Or use our BitLocker Tool to check and manage BitLocker status and to extract your recovery key (see this chapter).
• Or: simply turn Device encryption off if you plan to perform a BIOS update.

I cannot find BitLocker, nor Device encryption, on my device

Depending on system configuration, Windows may not offer Device Encryption (or BitLocker) at all. This usually means that certain technical requirements are not met.

Common requirements include:

• Secure Boot enabled in BIOS setup.
• TPM (Trusted Platform Module) available.
• Support for PCR7 binding (a component in TPM).
• A working Windows Recovery Environment (WinRE).

If one or more of these conditions have been missing or misconfigured since the initial Windows setup step, Windows will normally not automatically enable Device Encryption. However, BitLocker may already be enabled through other or prior configurations, so the absence of Device encryption in Windows settings may not be a reliable enough signal to confirm whether or not your system drive is encrypted.

Before a BIOS update, we advise to still better to check manually:

• Use command-line tools such as "manage-bde" (see this chapter).
• Or use our helper tool to check and manage BitLocker status (see this chapter).

Does every BIOS update trigger a BitLocker recovery?

No. Not every BIOS, firmware, or TPM update will trigger the BitLocker recovery screen. It only happens with certain updates, e.g. if a BIOS update includes updates to the TPM firmware or if it causes a clearing or reconfiguration of TPM storage.

Whether or not an update will trigger such a condition is not always apparent in the update’s changelog. The condition may also depend on the condition of the end-user's system – for example, if the user skips multiple updates (i.e. comes from a very old version), the latest update may trigger this condition, even if the change was not introduced in the latest update itself.

Therefore, it is always safer to simply assume that a BitLocker recovery condition will be triggered, and to be prepared for it, by either gaining access to the BitLocker recovery key, or by disabling/suspending BitLocker before running the update.

Background information

What is BitLocker?

BitLocker is Windows drive encryption that works invisibly in the background. According to Microsoft, it protects the data on your SSD so that someone cannot simply remove the drive or boot it another way and read your files.

On modern Windows laptops, BitLocker is usually already active by default, even if the user or owner of the device never turned it on manually.

What is the difference between "Device encryption" and "BitLocker"?

"Device encryption" is the simpler, consumer-facing interface of BitLocker – it is the only available interface on Windows 11 Home. The more detailed "Manage BitLocker" menu is limited to Windows 11 Pro, Enterprise and Education.

As both variants use the same underlying technology (with the same advantages and, unfortunately, the same pitfalls), BitLocker is used synonymouly with "Device encryption" within this article.

Why can a BIOS or TPM update trigger a recovery-key prompt?

BitLocker uses the TPM and boot environment to decide whether the system still looks trusted. A BIOS update, EC update, Secure Boot change, or TPM firmware change can alter those measurements. When that happens, Windows may treat the next boot as a possible tampering event and ask for the 48-digit BitLocker recovery key, even if you are the real owner of the laptop.

To make sure you are prepared for this event, please read the initial chapters of this article.

Is BitLocker enabled by default?

On modern hardware, it is safe to assume that BitLocker is enabled by default.

• When using a Microsoft account, or if you are logged in through a work or school, BitLocker is expected to be enabled by default.
• When using an offline account, BitLocker may also be enabled by default under various conditions. This is further explained in the next chapter.

All of this is true regardless of the version of Windows, including Windows 11 Home, Pro, Enterprise, and Education.

Given the potentially catastrophic data loss in a worst-case scenario – that is, if you lock yourself out without access to the recovery key – it is advisable to assume, for the time being, that BitLocker is enabled. You can then check manually whether this is actually the case, and then either suspend or disable BitLocker as required, or at the very least create a backup of the recovery key. The relevant steps are described in the initial chapters of this article.

Trust, but verify.

BitLocker gets enabled by default even on offline accounts? (Yes, more often than not.)

It depends, but it is safer to assume that it is enabled.

Microsoft officially states that BitLocker is not turned on automatically for local-account users. Quote:

"If you're using a local account, Device Encryption isn't turned on automatically." (Source)

However, in practice, this is not 100% reliable. Depending on the installation method or the original device condition, BitLocker may already have been enabled before user account creation.

Also, Microsoft does not really support local/offline accounts anymore – for years now, using an offline account requires a secret not-so-secret command line trick during setup. Therefor, any Microsoft statements regarding conditions of offline account users must be taken with a grain of salt, as they might be outdated or inconsistent with technical reality or different update levels.

Practical takeaway: do not simply assume BitLocker is off just because you never enabled it yourself. Check before flashing BIOS.

Is BitLocker enabled again automatically after I manually suspended it?

It depends on how BitLocker was suspended.

• If BitLocker was suspended via Windows settings, it will not be re-enabled automatically.
• If BitLocker was suspended through PowerShell with otherwise default parameters, it will be re-enabled after the next successful boot.

This is documented on this page. Microsoft writes:

"You can specify the number of times that a computer restarts before the BitLocker suspension ends by using the RebootCount parameter, or you can use the Resume-BitLocker cmdlet to manually resume protection. If you do not specify the RebootCount parameter, the cmdlet uses a value of one (1), so BitLocker protection resumes after the next restart."

If, on the other hand, you disable protection using our BitLocker Tool, the RebootCount parameter will be set to zero (0), meaning that BitLocker remains permanently suspended unless you manually reactivate (resume) it.

Our measure is designed to protect users from accidental reboots and the subsequent reactivation of device encryption during a BIOS update. The reasoning behind this is as follows:

• Under normal circumstances, the user would suspend BitLocker and then reboot the system, disable Secure Boot in BIOS setup, Save & Exit, then hold a certain hotkey to boot from USB media to start the BIOS update.
• However, if the user misses pressing the hotkey, or if boot from USB fails (e.g. because Secure Boot is still enabled), Windows would boot again. This would already count as a normal reboot. With the default "RebootCount" setting of 1 (default via PowerShell), BitLocker would automatically reactivate itself - even if the BIOS update hasn't even started yet.

That is why our BitLocker tool sets the "RebootCount" value from the default of 1 to 0. This is in line with how the "Manage BitLocker" user interface operates.

Do separate drives or partitions have separate recovery keys?

Yes, the recovery key is generally unique for each drive or partition. If you are logged into Windows with your Microsoft account, Microsoft stores all those keys separately on the "BitLocker recovery keys" page in your account. The keys are labelled by drive identifier – the system partition is labelled "OSV" (Operating System Volume).

If you use a local account (offline account), and you want to enable BitLocker for separate storage devices or removable media (including USB thumb drives), you must manage the recovery keys for each of those drives manually and individually.

I'm an admin. How can I control BitLocker through the command-line?

Open a Command Prompt as administrator and use the following commands:

Additional commands for Command Prompt or PowerShell are available on these support pages:

• BitLocker operations guide [microsoft.com]
• Windows PowerShell > BitLocker Module [microsoft.com]

Our tool to manage BitLocker and Device encryption

We provide a tool to help you suspend or disable (or resume/enable) BitLocker on selected or all drives in your system in one single step. Our tool also allows you to create backups of your BitLocker recovery keys – regardless of whether you have an online or offline account, and regardless of whether you’re using Windows 11 Home or Pro.

→ Download: https://download.schenker-tech.de/package/bitlocker-tool/

Our tool uses the official PowerShell commands for BitLocker management as outlined in the articles linked above.

We use this tool internally to automatically disable BitLocker for SSD performance and stress tests. We provide it here to simplify support procedures - especially for users on Windows 11 Home for whom Microsoft does not offer any graphical interface (besides the online Microsoft account) to extract recovery keys for their device encryption (see this chapter for more info on that).

Does BitLocker really keep my data safe if my device is stolen?

Arguably yes.

BitLocker is specifically designed to protect your data from unauthorized access if your laptop or SSD is stolen. With BitLocker, all data your your drive is encrypted. If someone removes the SSD and connects it to another computer, the contents cannot be read (or rather: cannot be deciphered) without the correct key.

The key is tied to the device's Trusted Platform Module (TPM). The TPM only releases the key when the system boots normally on the original hardware, and with the original boot environment (firmware configuration). This means your data remains protected against offline access.

What if someone boots Windows and tries to bypass my login or create a new account?

If a thief gets access to the whole device and boots the system, BitLocker is no longer the sole protection layer at that point. The drive is already unlocked because the system booted normally. From there, protection depends on standard Windows security, especially on having a user account with a sufficiently secure password and ideally additional authentification layers such as PIN, face recognition or 2FA token.

If an attacker cannot gain access to the owner’s user account, they cannot create secondary accounts or gain any other access to the data decrypted in the background. Creating a new local account is an administrative action that requires access to an existing administrator account.

Changes at the firmware level, such as altering the boot order or installing a different boot manager (for example, booting a second operating system to access data on the primary SSD), ensure that the TPM no longer releases the key for the BitLocker-encrypted partitions – thereby also preventing side-channel access.

A reinstall that preserves access to the old data (a side-by-side Windows install) is also not feasible. Reason: Without the recovery key, external boot media (e.g. a USB thumb drive created with Microsoft's Media Creation Tool) cannot access the encrypted Windows volume, so they can also not write a separate Windows installation or boot loader on it.

The only option left to an attacker would be to wipe the SSD and reinstall Windows. Whilst this would allow them to take control of the PC or laptop, the data originally stored on it would be irretrievably lost - thus, unauthorized access to protected data is sufficiently thwarted.

Nothing is perfect, or: How to improve protection against sufficiently motivated attackers

The chain of protection from BitLocker to Windows user accounts and NTFS permissions relies on the assumption that there are no known exploits that can break the chain. Once the TPM has released the BitLocker key to Windows following a normal boot process, the operating system does, in principle, have access to the data. A sufficiently motivated attacker (or a state-sponsored actor) would then, in theory, only need to exploit a previously unknown vulnerability or carry out some kind of physical attack to gain privileged access to the system that has already booted up.

So, in the event of a targeted and highly motivated attack, BitLocker alone will not be able to provide perfect protection against data extraction.

This is a reasonable trade-off between security and convenience:

• Windows can unlock the drive automatically during a normal, trusted boot – so you don't have to enter a password to boot your PC or laptop.
• Once booted, Windows is able to utilize more complex features such as Infrared cameras for facial recognition to unlock your user account – again at the convenience of not having to enter a PIN or password.
• All these are important comfort features that make encryption pallatable for everyday use. Without this level of convenience, most home users would likely not use encryption at all, leaving themselves vulnerable to petty theft.

That's why BitLocker is a very effective form of protection, which works particularly well for the general public – but it is not (or cannot be) perfect.

A complex, zero-day exploit-based attack such as the one described above is far beyond the capabilities of average criminals. However, such a scenario is certainly part of the threat model one might expect from potentially highly motivated, well-resourced attackers.

If you wish to protect your system not only against normal loss or theft, but are also concerned about targeted access to highly sensitive files, a second layer of encryption is recommended – one that is separate from the everyday Windows boot process.

For professional users, Microsoft offers additional, optional security layers where the user would have to enter a PIN or insert a prepared USB drive (holding a key file) already at boot. This would prevent the scenario outlined above – as the decryption or unlocking of the storage drive would only occur after the user has provides the appropriate key.

These additional authentication vectors are documented on this support page:

• BitLocker planning guide > BitLocker key protectors [microsoft.com]

However, these additional features are not available in Windows 11 Home – only in Windows 11 Pro, Enterprise or Education.

Alternatively, a more straightforward method is an encrypted container file that only opens after you enter a separate passphrase in which you store all your sensitive data. VeraCrypt, a successor or fork of the discontinued TrueCrypt project, is a current free, open-source option for exactly that kind of use case. Other solutions are listed and compared in this Wikipedia article:

• Comparison of disk encryption software > Layering [en.wikipedia.org]

Troubleshooting

I am locked out and Windows is asking for the BitLocker key

On the recovery screen, note the first 8 digits of the Key ID. Then, on another device, find the matching key in your Microsoft account, your work or school account, or your saved printout, USB, or text file. Enter the matching 48-digit key. For more information, please read the initial chapters of this article.

I cannot find my recovery key

Have you checked online (on another device) in your account on Microsoft.com? Follow this link:

• https://account.microsoft.com/devices/recoverykey

If you are logged in with a company or school account, use this link instead:

• https://aka.ms/aadrecoverykey

We have described the procedure in detail in this chapter:

• Where can I find my BitLocker recovery key

If a key matching the first 8 digits of the key ID listed by the recovery screen is not listed on your account, please check:

• Was the device originally set up by another person? Please ask that other person to check their Microsoft account for the key. Or ask if they have a local backup of the recovery key.
• Was the device ever signed into a company or school account? Check with the IT department of your organisation and ask them for the recovery key.
• Has the recovery key ever been backed up to a printout, USB drive, or saved text file? Please think closely and check any files or printouts that might be related to this file?

If you truly cannot find your recovery key, and if it is not listed in your Microsoft account, neither Microsoft's nor our support can recreate it for you – due to the inherent security architecture of BitLocker, we simply do not have access to these keys (or any knowledge of these keys).

If the recovery key is truly lost and Windows refuses to boot after a firmware update, any data stored on the system drive is lost and cannot be recovered from that drive.

To prevent such a scenario from happening, please follow the instructions from the start of this article.

In the event of potential data loss, you should also check whether backups of the most important files are stored on external storage devices, or whether certain folders (such as those in the user account) are backed up via cloud services (such as OneDrive in a Microsoft account).

Do you have any questions or feedback about this article?
Please do not hesitate to contact us!