Recent Windows updates are triggering BitLocker recovery screens for a lot of people. Since it’s enabled by default, a lot of people don’t even realize they have the device encryption feature on until they’re hit with this screen. The decryption key is automatically uploaded to the Microsoft Account you used to log into Windows. If that backup was never made or interrupted, there is absolutely no way to get to your data without that key. Microsoft support cannot reset it. The same is true if you can’t recover the Microsoft account used to log into Windows. Here’s what you can do to avoid this nightmare scenario.
What are local admin accounts, and why you should set one up
Basically, it’s a spare key that you can create in two minutes
Microsoft doesn’t let you install Windows without connecting to a Microsoft account anymore. After signing in with a Microsoft account, Windows prompts you to set a PIN associated with the same account. If you lose that PIN, you need the same Microsoft account to recover it. If you lose access to that account or if Microsoft locks or bans that account, you will also be locked out of your PC.
Credit: Lucas Gouveia / How-To Geek | Alberto Garcia Guillen / Shutterstock
There are some workarounds that let you install with a local account, but Microsoft is aggressively patching them. However, if you manage to make it work with a local account, remember that BitLocker is enabled by default but without a Microsoft account, the decryption key will not be automatically backed up to the cloud. Check out the BitLocker section below for more details.
That’s why it’s a good idea to have a “spare” account set up that’s not connected to the cloud at all. You can create a second local account and give it admin access, in case you ever lose access to your primary Microsoft account. That way, you’ll still be able to log into your PC with a regular password.
The admin access will allow you to decrypt the drive and back up your data. You can reset the PIN for the Microsoft-linked account. You can also roll back problematic Windows updates or load a restore point via System Restore.
How to create a local admin account on Windows 11
Two easy ways to create a backup account
Creating local accounts used to be pretty straightforward, but Microsoft has buried the feature in newer versions of Windows. In some versions of Windows 11, it’s absent entirely. Here are two ways to set up a local administrator account. One uses Settings and the other uses the terminal. The terminal method works on all versions.
Storage capacity
2TB
Hardware Interface
PCIE x 4
Compatible Devices
Laptop, Motherboards
Brand
Western Digital
TBW
7300 MB/s
Dimensions
3.15″L x 0.87″W x 0.09″Th
The WD_Black 2TB SSD is great for gaming. It offers read speeds of up to 7,300 mb/s and features an optional heatsink. The drive includes the wd_black dashboard software for monitoring health and customizing RGB lighting on compatible models.
Open the Settings app and go to Accounts > Other Users > Add someone else. A Microsoft login window will pop up. Click the blue I don’t have this person’s sign-in information link. Then select “Add a user without a Microsoft account.”
By default, it will choose Standard for the account type. Switch it to Administrator to unlock admin privileges.
Alternatively, you can open the terminal and run the following two commands one by one. Replace jelly with the username of your choice and jam with the password.
net user jelly jam /add
net localgroup administrators jelly /add
To verify that the new account was created. Run this command next.
net user
It’ll show you a list of available accounts. You can also open Control Panel > User Accounts > Manage Another Account to see all available accounts and their types in one place.
Remember the password you used to create this login or back it up somewhere to make sure you don’t get locked out of the spare account.
How to deal with BitLocker recovery
Either disable it or create offline backups of the key
New versions of Windows automatically turn on BitLocker recovery and upload the 48-digit recovery key to the linked Microsoft account. If you can log into that account, you can access it at this address:
aka.ms/myrecoverykey
The point of BitLocker is to prevent unauthorized physical access. With BitLocker enabled, if someone takes your hard drive out of your computer and plugs it into another one, they still can’t read what’s on the drive because the contents are encrypted. They’ll just see a BitLocker recovery screen demanding the 48-digit recovery key.
BitLocker can be overly sensitive to hardware and BIOS configurations though. Sometimes minor changes in BIOS settings or changes in hardware will trip it. Even Windows Update can trigger BitLocker recovery.
BitLocker is a must for portable devices like laptops, but for a home desktop PC that only you have access to, BitLocker is probably overkill. You can disable it entirely and save yourself from potential BitLocker trouble down the road.
To disable BitLocker, go to Settings > Privacy & Security > Device Encryption and toggle it off. Give it some time to decrypt your drive. Alternatively, you can look up “Turn off BitLocker” and click the Control Panel tile to disable it.
Windows Update occasionally turns BitLocker back on even if you manually disable it. It’s a good idea to open the terminal and run this command to check its current status from time to time.
manage-bde -status
If you’re on a laptop or if you just want to keep BitLocker enabled, do back up the recovery key in multiple places so you won’t get locked out.
You can look up “Backup your recovery key” and click the Control Panel tile that pops. It’ll show you three options: you can upload the key to your Microsoft Account, print it, or save it as a text file.
I recommend doing all three and saving the file to a USB drive. That way you will have offline access to the decryption in the event of a BitLocker recovery screen.
BitLocker is enabled by default and it can cause data loss
The default Windows settings and bugs in recent system updates have caused widespread BitLocker issues, many of which Microsoft has officially acknowledged. Without the BitLocker recovery key, you will lose your data. Make sure you create a spare admin account and make offline backups of the key.
