Windows 11 BitLocker recovery issue After june 2026

[Suraj Kumar]

This is a challenging situation. If BitLocker requests recovery after a Windows 11 update and the recovery key, password, or linked Microsoft account are all unavailable, the options are extremely limited, as BitLocker encryption cannot be bypassed without the recovery details. Please advise if you have any possible suggestions.

 

[ChatGPT]

Hi Suraj Kumar — the screenshot shows BitLocker recovery caused by a Secure Boot policy change. Unfortunately, you are correct: BitLocker cannot be bypassed without the 48-digit recovery key or another valid recovery protector.
That said, there are a few legitimate things worth trying before wiping the drive.

1. Do not clear TPM or reset BIOS yet​

Do not choose “Clear TPM,” “Reset Secure Boot keys,” or factory-reset BIOS/UEFI unless you already have the BitLocker key. Those actions can make recovery harder or permanent.

2. Try restoring the previous boot/security state​

Because the screen says Secure Boot policy has unexpectedly changed, the system may have detected a BIOS/UEFI, Secure Boot, TPM, firmware, or boot-order change.

1. Power off the laptop completely.
2. Disconnect all USB drives, external disks, SD cards, docks, and bootable media.
3. Enter BIOS/UEFI setup.
4. Check these settings:
   • Secure Boot: Enabled
   • TPM / Intel PTT / AMD fTPM: Enabled
   • Boot mode: UEFI
   • CSM / Legacy boot: Disabled
   • Windows Boot Manager should be first in boot order
5. Save changes and restart.

Expected result: if the TPM measurements match the old state again, Windows may boot normally. If not, it will return to BitLocker recovery.

3. Use the Recovery Key ID to find the correct key​

Your screen shows a Recovery Key ID. That ID helps match the correct saved recovery key.
Check all possible locations:

1. Microsoft account recovery page:
   [url]https://aka.ms/myrecoverykey[/url]
2. Work/school account recovery page shown on your screen:
   [My Account](https://aka.ms/aadrecoverykey)
3. Company or school IT/admin portal, if this was ever joined to an organization.
4. Printed copy, PDF, text file, USB drive, OneDrive, email, or password manager.
5. Any other Microsoft account ever used on that PC, including old Outlook/Hotmail/Live accounts.

Important: Do not post the 48-digit recovery key publicly. The Key ID is okay for identification, but the actual recovery key should remain private.

4. If you find the key​

1. Enter the 48-digit key on the BitLocker screen.
2. After Windows starts, open Command Prompt as Administrator.
3. Suspend BitLocker temporarily:

manage-bde -protectors -disable C: -RebootCount 1

1. Restart once.
2. Re-enable protection:

manage-bde -protectors -enable C:

1. Back up the recovery key again:

manage-bde -protectors -get C:
Also save it to your Microsoft account, a secure password manager, and an offline backup.

5. If no recovery key exists anywhere​

If the recovery key, password, Microsoft account, work/school account, and organization backup are all unavailable, then the encrypted data is not practically recoverable. In that case the remaining option is:

1. Create Windows 11 installation USB from another PC.
2. Boot from the USB.
3. Choose Custom installation.
4. Delete the encrypted Windows partitions.
5. Reinstall Windows.

Warning: this will erase the encrypted data on the drive.

6. One last question​

Was this device ever connected to a work/school account, company domain, Microsoft Entra ID/Azure AD, or managed by an employer? The screenshot specifically suggests checking a work/school recovery location, so that is the most promising path.

 

[Suraj Kumar]

1. Do not clear TPM or reset BIOS yet

Do not choose “Clear TPM,” “Reset Secure Boot keys,” or factory-reset BIOS/UEFI unless you already have the BitLocker key. Those actions can make recovery harder or permanent.
Because the screen says Secure Boot policy has unexpectedly changed, the system may have detected a BIOS/UEFI, Secure Boot, TPM, firmware, or boot-order change.

1. Power off the laptop completely.
2. Disconnect all USB drives, external disks, SD cards, docks, and bootable media.
3. Enter BIOS/UEFI setup.
4. Check these settings:
   • Secure Boot: Enabled
   • TPM / Intel PTT / AMD fTPM: Enabled
   • Boot mode: UEFI
   • CSM / Legacy boot: Disabled
   • Windows Boot Manager should be first in boot order
5. Save changes and restart.

Expected result: if the TPM measurements match the old state again, Windows may boot normally. If not, it will return to BitLocker recovery.
Your screen shows a Recovery Key ID. That ID helps match the correct saved recovery key.
Check all possible locations:

1. Microsoft account recovery page:
   https://aka.ms/myrecoverykey
2. Work/school account recovery page shown on your screen:
   [My Account](https://aka.ms/aadrecoverykey)
3. Company or school IT/admin portal, if this was ever joined to an organization.
4. Printed copy, PDF, text file, USB drive, OneDrive, email, or password manager.
5. Any other Microsoft account ever used on that PC, including old Outlook/Hotmail/Live accounts.

Important: Do not post the 48-digit recovery key publicly. The Key ID is okay for identification, but the actual recovery key should remain private.

1. Enter the 48-digit key on the BitLocker screen.
2. After Windows starts, open Command Prompt as Administrator.
3. Suspend BitLocker temporarily:

manage-bde -protectors -disable C: -RebootCount 1

1. Restart once.
2. Re-enable protection:

manage-bde -protectors -enable C:

1. Back up the recovery key again:

manage-bde -protectors -get C:
Also save it to your Microsoft account, a secure password manager, and an offline backup.
If the recovery key, password, Microsoft account, work/school account, and organization backup are all unavailable, then the encrypted data is not practically recoverable. In that case the remaining option is:

1. Create Windows 11 installation USB from another PC.
2. Boot from the USB.
3. Choose Custom installation.
4. Delete the encrypted Windows partitions.
5. Reinstall Windows.

We have tried all the steps, but the same issue still occurs. Please suggest how to resolve it.

 

[ChatGPT]

Suraj Kumar, if all BIOS/Secure Boot/TPM checks were tried and it still returns to this screen, then there are only two practical paths.

If you have the 48-digit recovery key​

1. Enter the recovery key.
2. Boot into Windows.
3. Immediately update the laptop/desktop BIOS/UEFI firmware from the manufacturer.
4. Install all pending Windows updates.
5. Open Command Prompt as Administrator.
6. Run:

manage-bde -protectors -disable C:
manage-bde -protectors -enable C:

1. Back up the key again:

manage-bde -protectors -get C:
This should reseal BitLocker to the current Secure Boot/TPM state.

If you have the key but Windows keeps looping​

1. On the BitLocker screen, press Esc.
2. Go to Troubleshoot > Advanced options > Command Prompt.
3. Find the Windows drive:

diskpart
list vol
exit

1. Unlock the correct Windows volume, replacing C: if needed:

manage-bde -unlock C: -RecoveryPassword YOUR-48-DIGIT-KEY
manage-bde -protectors -disable C:

1. Restart and boot Windows.
2. Once Windows starts, update BIOS/firmware and Windows, then re-enable BitLocker:

manage-bde -protectors -enable C:

If you do not have the recovery key​

There is no technical bypass. Microsoft also states that Microsoft Support cannot retrieve, provide, or recreate a lost BitLocker recovery key.
Your best remaining places to check are:

1. [url]https://aka.ms/myrecoverykey[/url]
2. [My Account](https://aka.ms/aadrecoverykey)
3. Company/school IT admin
4. Intune admin center
5. Microsoft Entra ID device recovery keys
6. On-prem Active Directory BitLocker recovery tab
7. Printed/PDF/text backup or password manager

Because your screen mentions a work or school account, the most likely place is Microsoft Entra ID / Azure AD / Intune, not a personal Microsoft account.

About the June 2026 timing​

This may be related to the Secure Boot certificate transition in 2026. Microsoft notes that older Secure Boot certificates expire starting in June 2026, and devices with outdated firmware or failed certificate updates can see Secure Boot validation errors and repeated BitLocker recovery prompts.
But once BitLocker is already asking for recovery, the recovery key is still required to access the encrypted Windows drive.

Final option​

If no key exists anywhere, the only way to make the PC usable again is a clean Windows reinstall, deleting the encrypted partitions. This will erase the data on the drive.