solution Contentsolution Content

HP PCs - Using BitLocker and finding the recovery key (Windows 11, 10)

Device Encryption prevents unauthorized individuals from accessing your device and data.

Your computer might support BitLocker Drive Encryption (in English) or Device Encryption (in English). You can verify whether your device supports standard BitLocker encryption or Device Encryption.

Be sure to save your recovery key, because it might be required after certain actions, such as a BIOS update. There are multiple ways to attempt to retrieve your recovery key, if necessary.

Data protection with BitLocker Drive Encryption

BitLocker Drive Encryption, also known as standard BitLocker encryption, is available on supported devices running the Windows 11 and 10 Pro, Enterprise, or Education operating systems.

Note:

BitLocker Drive Encryption is not available on devices running the Windows 11 and Windows 10 Home operating systems.

If your device uses BitLocker Drive Encryption to encrypt your data, you must activate BitLocker.

During the activation process, you can select where to store the recovery key. This manual recovery key backup process is initiated when BitLocker is turned on.

Data protection with Device Encryption

Device Encryption is a feature-limited version of BitLocker that encrypts the entire system. Device Encryption is also known as BitLocker Device Encryption or BitLocker Automatic Device Encryption.

Windows automatically enables Device Encryption on devices that support Modern Standby (in English). Microsoft offers Device Encryption support on a broad range of devices, including devices that run Windows 11 and 10 Home edition. See Overview of BitLocker Device Encryption in Windows.

Device Encryption is enabled automatically when you either sign into your device with a Microsoft account or join with a corporate domain account. The recovery key is uploaded to the Microsoft account or the corporate domain automatically.

Enable BitLocker Drive Encryption or Device Encryption

You can enable BitLocker Drive Encryption or Device Encryption using the following procedures.

Enable BitLocker Drive Encryption

BitLocker Drive Encryption can be enabled during your initial computer setup or any time after by signing in with your Microsoft account.

Sign in to Windows with an administrator account.
In Winows, search for and open Manage BitLocker.
Click Turn on BitLocker, and then follow the on-screen instructions.
When prompted, select an option to back up your recovery key.

Note:
You can back up the recovery key later, if necessary. In Windows, search for and open Manage BitLocker, and then select Back up your recovery key.
Follow the on-screen instructions for your selected backup method. The options might vary depending on your BitLocker type.
- Save to your Microsoft account: Save the recovery key to your Microsoft account, to be accessed online.
- Save to your cloud domain account: Save the recovery key to your company's cloud domain.
- Save to a USB flash drive: Save the recovery key to a removable USB flash drive.
- Save to a file: Save the recovery key to a .txt file stored on your computer hard drive.
- Print the recovery key: Print a copy of the recovery key and store it in a safe location.
Note:
HP does not recommend printing recovery keys or saving them to a file. Instead, HP recommends using an active directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and your Microsoft account.
After saving the recovery key, follow the on-screen instructions to finish the BitLocker Drive Encryption process.

Enable Device Encryption

Device Encryption can be enabled during your initial computer setup or any time after by signing in with your Microsoft account or by joining a domain.

Enable Device Encryption during computer setup using a Microsoft account

You can enable Device Encryption during computer setup as follows.

Follow the on-screen instructions to set up your computer.
After agreeing to the End-User License Agreement (EULA), you are prompted to add or create your Microsoft account. Enter the email, phone number, or Skype username associated with your Microsoft account and then select Next, or select Create account and follow the on-screen instructions.
Enter your password, and then select Next.
Follow the on-screen instructions to complete your computer setup.
After your computer setup is complete, you can verify that Device Encryption is enabled. In Windows, search for and open Settings.
Select Update & Security, and then select Device encryption. Device Encryption is on and encrypting all present files and any files added to the system.

Note:
In addition, if you search for and open File Explorer, a lock icon is displayed on the operating system drive.

Enable Device Encryption after computer setup using a Microsoft account

You can enable Device Encryption after computer setup as follows.

Sign in to Windows with an administrator account.
In Windows, search for and open Settings, select Update & Security, and then select Device encryption.
Select Sign in with a Microsoft account instead. The Accounts page opens.

Note:
If Device Encryption is enabled but has been turned off, select Turn on.
On the Accounts page, select Sign in with a Microsoft account instead.
Enter the email, phone number, or Skype username associated with your Microsoft account and then select Next, or select Create account and follow the on-screen instructions.
Enter your password, and then select Next.
Follow the on-screen instructions to finish your account setup, and then sign in to your Microsoft account.
After your computer setup is complete, you can verify that Device Encryption is enabled. In Windows, search for and open Settings.
Select Update & Security, and then select Device encryption. Device Encryption is on and encrypting all present files and any files added to the system.

Note:
In addition, if you search for and open File Explorer, a lock icon is displayed on the operating system drive.

Use the recovery key

Computers encrypted with BitLocker Drive Encryption or Device Encryption might require the entry of a recovery key after one of the following events:

BIOS update
Microsoft Push Button reset
Disabling Secure Boot or Trusted Platform Module (TPM)
Hardware changes such as adding or removing video or network card

For more examples, go to the BitLocker recovery guide (in English).

Normally, you back up your recovery key when BitLocker is enabled. If you enable BitLocker Drive Encryption, you must manually select where to store the recovery key during the activation process. If you enable Device Encryption using a Microsoft account, the encryption starts automatically and the recovery key is backed up to your Microsoft account.

Retrieve, and then enter the recovery key to use your computer again.

Retrieve the recovery key from your Microsoft account

When you sign in using a Microsoft account, Device Encryption starts automatically and the recovery key is backed up to your Microsoft account. If you use BitLocker Drive Encryption, you must have manually saved the recovery key to your Microsoft account to use this procedure. If there is a problem and you are unable to sign in, you must use the recovery key to sign in.

Sign into your Microsoft account and retrieve your recovery key.
- Sign in from the Microsoft recovery key page.
  1. Using another computer or mobile device, go to https://windows.microsoft.com/recoverykey (in English).
  2. In the Microsoft account option, select Sign in to your Microsoft account.
  3. Follow the on-screen instructions to log in to your Microsoft account.
  4. If you have multiple computers, you can identify the correct key by matching the Device Name.
- Sign in from the Microsoft account page.
  1. Using another computer or mobile device, go to https://account.microsoft.com/account (in English).
  2. Sign in with the Microsoft account you use on the computer that requires a recovery key.
  3. Select All Devices, find the device name that matches the computer with the encryption issue, and then select Show details.
Your recovery key is the recovery key with a Device Name that matches the Recovery key ID on the recovery prompt.
Type the recovery key into the Enter the recovery key field in Windows, and then select Continue.

Other options to retrieve your recovery key

Finding your recovery key depends on the method that you used to back up the key. You can use the following backup options as a guide to find your recovery key.

For more information, see Where to look for your BitLocker recovery key (in English).

Use a cloud domain account

If your computer is connected to a domain, such as a school or work computer, your recovery key might be saved to your school or work's cloud domain. Ask your system administrator to help find your recovery key. Be sure that you tell your administrator your Recovery key ID from the recovery prompt on the computer.

Use a USB flash drive

If you saved your BitLocker recovery key to a USB flash drive, insert the USB flash drive into a USB port on your computer and follow the on-screen instructions. If the instructions to find the recovery key do not display automatically, you might have saved the recovery key as a text file. Insert the USB flash drive into a USB port on a different computer to open the text file (.txt).

Open a local file

The key might be saved as a local text (.txt) file stored on a nonencrypted hard drive on a different device. If the key is stored on your encrypted drive, you cannot access it.

Use a printed copy of the key

You might have printed a copy of the recovery key when you set up Device Encryption. Check the location where you store computer-related information for a printout of your recovery key.

Use an Azure Active Directory account

If you ever used a work or school email account to sign into an organization with an Azure Active Directory (AD) account on your computer, your computer recovery key might be saved in that organization's Azure AD account associated with your email. You might be able to access your recovery key through that account, or you might be able to ask a system administrator to find your recovery key.

Access another Microsoft account

If there are multiple Microsoft accounts used on the same computer, such as when multiple users share one computer, sign in to another account with administrator privileges to unlock the computer with the recovery key.

Additional support options

Try one of our automated tools or diagnostics

Ask a question on our HP Support Community page

Get in touch with one of our support agents

Enter a topic to search our knowledge library

What can we help you with?

Need Help?