Understanding BitLocker (and how to deal with it before BIOS updates)

Read this first

Before you install a BIOS update or any other firmware update, please take a moment to check whether BitLocker is active on your system.

BitLocker is Windows drive encryption. After certain firmware-related changes, Windows may ask for the BitLocker recovery key on the next boot. If that happens and you do not have the correct key, you will not be able to continue booting or access your data.

The recovery key is a long 48-digit number, separated by dashes. It is not the same as your normal Windows password, PIN, or Microsoft account password.

Example recovery key:

123456-789012-345678-901234-567890-123456-789012-345678

Do not start a BIOS or firmware update unless one of the following is true:

You already have your BitLocker recovery key and can access it from another device.
BitLocker protection has been suspended or disabled before running the update.

In the following chapters, we will explain how to check your BitLocker status, how to find your recovery key, and what to do before updating your BIOS.

How to handle BitLocker before installing a BIOS update

Introduction

If you do not have your BitLocker recovery key, or you are not sure where it is, do not proceed with a BIOS update without preparation. You must suspend or disable BitLocker first. Suspending and disabling is not the same thing – the difference is explained below.

If you already have the recovery key, and you will be able to access it even if your system does not boot (either printed or available on another device), then you can proceed without suspending or disabling BitLocker.

If the laptop belongs to a company, school, or university (if you are using the work or school account to login into Windows), please ask your IT department for support. The recovery key may be managed by the organization, and suspending BitLocker may not be possible without IT admin access, or it may conflict with company policy.

Where can I find my BitLocker recovery key?

If the recovery screen appears after a BIOS update, note the first 8 digits of the Key ID. That helps you pick the correct key if you have more than one saved.

Bookmark this page:

https://account.microsoft.com/devices/recoverykey

If you are logged in with a company or school account, use this link instead:

https://aka.ms/aadrecoverykey

After you sign in, you will see a page that looks like this:

The table in the screenshot shows 3 essential columns:

Device name: this is a name that is randomly assigned during Windows setup. It can also be custom-assigned by your IT department, or by yourself.
Key ID: if your system asks you for your BitLocker recovery key, it will show you this key ID to help you identify which recovery key you need
Recovery key: this is the actual key that you will need to enter. It is essential that you have access to this key, and it is recommended to create a backup.

Side notes:

Since Windows 11 version 24H2, the recovery screen also shows a hint for the associated Microsoft account.
When enabling BitLocker manually, Windows also offers to store the recovery key in a text file that can be printed or stored on a USB flash drive. This backup can also be done at any time (provided the system is bootable) – see this chapter.

Where can I find my device name?

The device name is given to your device by your IT department, or it is assigned randomly during Windows setup. You can find your device name by searching for “About your PC” in Windows Start menu.

This device name can be changed by yourself to make it more recognizable. If you are logged into your Microsoft account, changing your device name in Windows will also update the listing in your online BitLocker recovery key table.

What if my device is administered by my organisation?

If the device was ever connected to a work or school account, the key may be visible in that account’s device section. Depending on user configuration, the organisation’s IT department may need to retrieve it from there. You can use this copy/paste message to contact your IT department:

Hello, I am planning to perform a BIOS update on my device.

Model: [insert full model name including product ID or generation]
Device name: [insert device name]

Since the device is protected with BitLocker, I will either need access to the BitLocker recovery key or confirmation that it is safe to suspend BitLocker before proceeding. Otherwise, performing the BIOS update may cause a BitLocker recovery event and lock me out of my system and data.

Please advise on the correct procedure or provide the recovery key if applicable. Thank you!

Information on how to find your Device name is listed in the chapter above.

Users with local/offline accounts need to be especially careful!

Users with local/offline accounts may still have BitLocker enabled, even if they are not aware of it. This is explained in more detail in a paragraph below.

Unlike users with Microsoft account, offline account users will not have the luxury of having an online backup of their recovery key. You will have to extract and store the BitLocker key yourself – or disable/suspend BitLocker before the BIOS update.

That means local-account users should be extra careful before any BIOS or TPM update. If you do not clearly know where your recovery key is stored, suspend or disable BitLocker before updating.

How can I create a manual backup of my BitLocker recovery key?

Follow these steps:

Open Start menu
Type BitLocker
Find "Manage BitLocker"

Alternative path:

Windows Settings > Privacy & security > Device encryption > BitLocker drive encryption

If "Manage BitLocker" is not listed in Start search, you are likely using Windows 11 Home, and the system is using the simpler "Device encryption" interface. In this case, simply search for "Device encryption" in Start menu.

Once you are there, click on "Back up your recovery key" for the system drive.

Make sure to store the key in a safe location.

Either printed and stored in a safe place.
Or saved to a file that is then placed in a safe place (i.e. not on the same device).

The option “Save to your Microsoft account” only works if your Windows is logged into that Microsoft account – the option is not available for users with local or offline accounts.

For more information, please refer to Microsoft’s support page:

Back Up Your BitLocker Recovery Key [microsoft.com]

What’s the difference between disabling and suspending BitLocker?

Suspending BitLocker is only a temporary action. The drive stays encrypted, but BitLocker stores a clear key so Windows will not challenge the changed firmware state at next boot. This is why suspension is the normal recommendation before BIOS or TPM updates.

Disabling or turning off BitLocker is different – it will lead to full disk decryption. Depending on the size, speed and utilization of your disk, decrypting the disk will take a certain amount of time. The status can be tracked in Control Panel or via the “manage-bde” command-line interface.

If the system is restarted, shut down, or loses power before completing the decryption, it’s no problem. The decryption will resume where it stopped the next time Windows starts.

If your goal is only to avoid a recovery prompt after a BIOS update, suspend is the better option. Turn off BitLocker only when you deliberately want the drive fully decrypted permanently.

How to suspend BitLocker

Follow these steps:

Open Start menu
Type BitLocker
Find "Manage BitLocker"

Alternative path:

Windows Settings > Privacy & security > Device encryption > BitLocker drive encryption

Once you are there, click on "Suspend protection" and confirm.

After this is done, you can reboot and follow the steps to update your BIOS as outlined in our documentation. To get started, please refer to this article:

How can I update the EC/BIOS firmware of my laptop?

After your BIOS update is complete and you have successfully booted back to Windows, go back to the same place as indicated above and choose "Resume protection".

If I suspend BitLocker, how long should I wait before starting the BIOS update?

Suspending BitLocker is immediate. It does not decrypt the SSD. The drive remains encrypted, but Windows temporarily stops enforcing the normal startup integrity checks so that firmware changes do not trigger recovery. Once Windows shows that protection is suspended, you can proceed with the BIOS update - there is no need to wait for a long background process to finish.

If you fully disable or turn off BitLocker instead, that is different: Windows starts decrypting the drive immediately, and you must wait until decryption has finished before the drive is truly no longer protected by BitLocker.

What if there is no option to suspend BitLocker?

On some systems, depending on the Windows edition, device configuration, the BitLocker management interface does not offer a “Suspend protection” option. Instead, you may only see the option to “Turn off BitLocker.”

In this case, you will either need to access and backup your BitLocker recovery key or simply turn off BitLocker before proceeding with the BIOS update.

Turning off BitLocker starts a full decryption of the drive. This process can take a significant amount of time depending on SSD size and speed.

While Windows technically allows you to reboot or shut down during decryption - and the process will resume afterward - it is recommended to wait until decryption is fully completed before performing the BIOS update.

Once decryption is finished, the status will change from something “Decrypting” to “BitLocker is off”. Only then should you proceed with the BIOS update.

Side notes:

Suspension is generally only recommended for the drive (or partition, drive letter) on which Windows is currently installed. The BitLocker management interface (GUI) does not offer to suspend encryption on secondary or removable drives. However, suspension is still possible through the command-line interface for those drives.
Likewise, if the BitLocker management interface does not offer suspension for the system partition, it is still available using command-line interfaces (see this chapter and the following ones).

What is the difference between Windows 11 Home and Pro (regarding BitLocker)?

Windows 11 Home and Windows 11 Pro use the same underlying encryption technology, but they offer different user interfaces and levels of control. On Windows 11 Home, encryption is exposed as "Device encryption" in Settings.

Windows 11 Home only offers a simple "On" and "Off" switch for Device encryption.

On Windows 11 Pro, Enterprise, and Education, users have access to the "Manage BitLocker" control panel. This interface allows manual backup of recovery keys, suspension of protection before firmware updates, and access to other advanced options.

I'm using an offline account – not a Microsoft account. What do I need to know?

For users who are not logged into a Microsoft account, Windows 11 Home does not provide a GUI method to create a BitLocker recovery key. While Windows 11 Pro and up allow to backup recovery keys with the "Manage BitLocker" interface, Home users with local or offline accounts can only turn BitLocker (Device encryption) "On" or "Off".

With Windows 11 Home, the related link to "BitLocker drive encryption" (Manage BitLocker) only leads to Microsoft Store, where users can buy an upgrade to Windows 11 Pro.

Recommendations:

Backup your recovery key with the command-line tool "manage-bde" (see this chapter).
Or use our helper tool to check and manage BitLocker status (see this chapter).
Or simply turn Device encryption off if you plan to perform a BIOS update.

I cannot find BitLocker, nor Device encryption, on my device

Depending on system configuration, Windows may not offer Device Encryption (or BitLocker) at all. This usually means that certain technical requirements are not met.

Common requirements include:

Secure Boot enabled in BIOS setup.
TPM (Trusted Platform Module) available.
Support for PCR7 binding (a component in TPM).
A working Windows Recovery Environment (WinRE).

If one or more of these conditions are missing or misconfigured, Windows will not automatically enable Device Encryption. However, BitLocker may still be enabled trough other or prior configurations, so the absence of Device encryption in Windows settings may not be a reliable enough signal to confirm whether or not your system drive is encrypted.

Before a BIOS update, we advise to still better to check manually:

Run msinfo32 and check the field "Device Encryption Support".
Or use command-line tools such as "manage-bde" (see this chapter).
Or use our helper tool to check and manage BitLocker status (see this chapter).

Does every BIOS update trigger a BitLocker recovery?

No. Not every BIOS, firmware, or TPM update will trigger the BitLocker recovery screen. It only happens with certain updates, e.g. if those updates update the TPM firmware or cause a clearing or reconfiguration of TPM storage.

Whether or not an update will trigger such a condition is not always apparent in the update’s changelog. The condition may also depend on the condition of the end-user’s system – for example, if the user skips multiple updates (i.e. comes from a very old version), the latest update may trigger this condition, even if the change was not introduced in the latest update itself.

Therefore, it is always safer to simply assume that a BitLocker recovery condition will be triggered, and to be prepared for it, by either gaining access to the BitLocker recovery key, or by disabling/suspending BitLocker before running the update.

Background information

What is BitLocker?

BitLocker is Windows drive encryption that works invisibly in the background. According to Microsoft, it protects the data on your SSD so that someone cannot simply remove the drive or boot it another way and read your files. On modern Windows laptops, BitLocker is usually already active by default, even if the user or owner of the device never turned it on manually.

What is the difference between "Device encryption" and "BitLocker"?

"Device encryption" is the simpler, consumer-facing interface of BitLocker – it is the only available interface on Windows 11 Home. The more detailed "Manage BitLocker" menu is limited to Windows 11 Pro, Enterprise and Education.

However, within the scope of this article, the methods and core functionality are identical on both, so we will use BitLocker synonymously with Device encryption.

Why can a BIOS or TPM update trigger a recovery-key prompt?

BitLocker uses the TPM and boot environment to decide whether the system still looks trusted. A BIOS update, EC update, Secure Boot change, or TPM firmware change can alter those measurements. When that happens, Windows may treat the next boot as a possible tampering event and ask for the 48-digit BitLocker recovery key, even if you are the real owner of the laptop.

To make sure you are prepared for this event, please read the initial chapters of this article.

Is BitLocker enabled by default?

On modern hardware, it is safe to assume that BitLocker is enabled by default.

When using a Microsoft account, or if you are logged in through a work or school, BitLocker is expected to be enabled by default.
When using an offline account, BitLocker may also be enabled by default under various conditions. This is further explained in the next chapter.

All of this is true regardless of the version of Windows, including Windows 11 Home, Pro and Enterprise.

Due to the severity of the worst-case scenario – locking yourself out without having access to the recovery key – it is best practice to assume that BitLocker is enabled, then check its status manually and suspend or disable if needed. Please follow the steps outlined in the initial chapters of this article.

Trust, but verify.

BitLocker gets enabled by default on offline accounts? (Yes, more often than not.)

It depends, but it’s safer to assume that it is enabled.

Microsoft officially states that BitLocker is not turned on automatically for local-account users. Quote:

“If you're using a local account, Device Encryption isn't turned on automatically.” (Source)

However, in practice, this is not 100% reliable. Depending on the installation method or the original device condition, BitLocker may already have been enabled before user account creation.

Also, Microsoft does not really support local/offline accounts anymore – using an offline account requires a secret not-so-secret command line trick during setup. Therefor, any Microsoft statements regarding conditions of offline account users must be taken with a grain of salt, as they might be outdated or inconsistent with technical reality or different update levels.

Practical takeaway: do not simply assume BitLocker is off just because you never enabled it yourself. Check before flashing BIOS.

Is BitLocker enabled again automatically after I manually suspended it?

It depends on how BitLocker was suspended.

If BitLocker was suspended via Windows settings, it will not be re-enabled automatically.
If BitLocker was suspended through PowerShell with otherwise default parameters, it will be re-enabled after the next successful boot.

This is documented on this page. Microsoft writes:

You can specify the number of times that a computer restarts before the BitLocker suspension ends by using the RebootCount parameter, or you can use the Resume-BitLocker cmdlet to manually resume protection. If you do not specify the RebootCount parameter, the cmdlet uses a value of one (1), so BitLocker protection resumes after the next restart.

Our own BitLocker Tool sets this parameter to zero (0), so BitLocker will remain permanently suspended until it is manually enabled again.

This is to protect the user from accidentally rebooting once before actually performing a BIOS update.

Under normal circumstances, the user would suspend BitLocker and then reboot the system, disable Secure Boot in BIOS setup, Save & Exit, then hold a certain hotkey to boot from USB media to start the BIOS update.
However, if the user misses pressing the hotkey, or if boot from USB fails (e.g. because Secure Boot is still enabled), Windows would boot again. This would count as a normal reboot, thus, with RebootCount being set to 1 by default, BitLocker would be re-enabled again automatically.

Do separate drives or partitions have separate recovery keys?

Yes, the recovery key is generally unique for each drive or partition. If you are logged into Windows with your Microsoft account, Microsoft stores all those keys separately on the "BitLocker recovery keys" page in your account. The keys are labelled by drive identifier – the system partition is labelled "OSV".

If you use a local account (offline account), and you want to enable BitLocker for separate storage devices or removable media (including USB thumb drives), you must manage the recovery keys for each of those drives manually and individually.

I’m an admin. How can I control BitLocker through the command-line?

Open a Command Prompt as administrator and use the following commands:

Command	Description
manage-bde -h	Shows all commands and documentation.
manage-bde -status	Shows status of BitLocker for all installed storage devices and partitions.
manage-bde -protectors -get C:	Lists protectors such as recovery key for partition C:\

Additional commands for Command Prompt or PowerShell are available on these support pages:

BitLocker operations guide [microsoft.com]
Windows PowerShell > BitLocker Module [microsoft.com]

Command-line assistant tool

We provide a tool to help you suspend or disable (or unsuspend/enable) BitLocker on selected or all drives in your system in one single step:

https://download.schenker-tech.de/package/bitlocker-tool/

Our script uses the official PowerShell commands for BitLocker management as outlined in the articles linked above. The script does not use the simpler “manage-bde” program.

We use this script internally to automatically disable BitLocker for SSD performance and stress tests – we provide the script here as community service. Everything the script does can also be done through the normal Windows Settings dialogs.

Does BitLocker really keep my data safe if my device is stolen?

Arguably yes.

BitLocker is specifically designed to protect your data if your laptop or SSD is stolen. It encrypts all data on the drive, so if someone removes the SSD and connects it to another computer, the contents cannot be read without the correct key.

The key is tied to the device’s TPM and is only released automatically when the system boots normally on the original hardware. This means your data remains protected against offline access.

However, if the laptop is already running or in sleep mode, the protection is lower because the system has already unlocked the drive. For maximum protection, fully shut down your device when traveling or storing it.

What if someone boots Windows and tries to bypass my login or create a new account?

If a thief manages to boot the system and somehow creates a new local account, BitLocker is no longer the main protection layer at that point. The drive is already unlocked because the system booted normally. From there, protection depends on standard Windows security: user accounts and file permissions (NTFS permissions).

Creating a new local account is an administrative action and normally requires access to an existing admin account or a full reset/reinstall workflow.

Furthermore, system-level changes such as changing the boot order or installing a different boot manager (e.g. booting a different OS to access the data on the unlocked SSD) will also trigger BitLocker recovery.

A thief would still be able to wipe the SSD and reinstall Windows, but that would not grant access to your existing personal data – they would be gone.

A reinstall that preserves access to the old data (a side-by-side Windows install) is also not feasible. Reason: Without the recovery key, external boot media (e.g. a USB thumb drive created with Microsoft’s Media Creation Tool) cannot access the encrypted Windows volume, so they can also not write a separate Windows installation or boot loader on it.

Nothing is perfect, or: How to improve protection against highly motivated attackers

The chain of protection from BitLocker to Windows user accounts and NTFS permissions rely on the assumption that there are no known exploits that can break the chain. Once the SSD encryption is unlocked and the OS has access to the content of the SSD, a sufficiently motivated hacker (or state-run actor) could theoretically find a serious unknown vulnerability or physical attack to gain privileged access on a system that has already booted and unlocked the drive.

So, in the event of a targeted and highly motivated attack, BitLocker alone will not be able to provide perfect protection against data extraction.

This is a reasonable trade-off between security and convenience. Windows can unlock the drive automatically during a normal, trusted boot – so you don’t have to enter a password to boot your PC or laptop. Once booted, Windows is able to utilize more complex features such as Infrared cameras for facial recognition to unlock your user account – again at the convenience of not having to enter a PIN or password.

In practical terms, this kind of attack is far beyond the typical opportunistic thief, but it is part of the threat model for highly motivated, well-resourced attackers.

If your concern is not just ordinary theft but targeted access to especially sensitive files, it can make sense to add a second layer of encryption that is separate from the normal Windows boot process.

For professional users, Microsoft offers additional, optional security layers where the user would have to enter a PIN or insert a prepared USB drive (holding a key file) already at boot. This would prevent the scenario outlined above – as the decryption or unlocking of the storage drive would only occur after the user has provides the appropriate key.

These additional authentication vectors are documented on this support page:

BitLocker planning guide > BitLocker key protectors [microsoft.com]

However, these additional features are not available in Windows 11 Home – only in Windows 11 Pro, Enterprise or Education.

Alternatively, one commonly recommended method is an encrypted container file that only opens after you enter a separate passphrase. VeraCrypt, a successor or fork of the discontinued TrueCrypt project, is a current free, open-source option for exactly that kind of use case. Other solutions are listed and compared in this Wikipedia article:

Comparison of disk encryption software > Layering [wikipedia.org]

Troubleshooting

I am locked out and Windows is asking for the BitLocker key

On the recovery screen, note the first 8 digits of the Key ID. Then, on another device, find the matching key in your Microsoft account, your work or school account, or your saved printout, USB, or text file. Enter the matching 48-digit key. For more information, please read the initial chapters of this article.

I cannot find my recovery key

Have you checked online (on another device) in your account on Microsoft.com? Follow this link:

https://account.microsoft.com/devices/recoverykey