Share via

BitLocker Manual Partition Unlock via Command Line

Michael Smith 0 Reputation points
2026-03-20T12:06:43.6966667+00:00

I've got a total disaster on my hands, our Director's Surface Pro 8 kicked the bucket right before the annual audit, and I've gotta pull his local spreadsheets ASAP. I've yanked the drive and slapped it into a USB cradle on my workstation, but I'm hitting a wall with Bitlocker. I managed to grab one recovery key from the company MS portal to get into the OS partition, but the data volume is asking for a totally different key that isnt showin up anywhere online. I actually found a text file from a previous backup that lists a numeric password and an External Key ID for that specific volume, but I have no clue how to actually feed those into Windows to get it to unlock. I am really sweating this because the audit starts in three hours and I can't find a way to use these IDs. Does anyone know the command line trick to bypass the standard prompt and use these specific credentials instead?

Windows for business | Windows Server | Devices and deployment | Configure application groups

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 19,580 Reputation points Independent Advisor
    2026-03-20T12:45:20.4033333+00:00

    Hello,

    You’re in a situation where BitLocker is doing exactly what it was designed to do: each encrypted volume has its own recovery key, and unlocking one partition doesn’t automatically give you access to the others. The text file you found with a numeric password and an External Key ID is important, but you can’t “bypass” the BitLocker prompt—Windows only accepts valid recovery keys or passwords that match the volume’s protector.

    Here’s how you can use what you have. If the numeric string in that file is a 48‑digit recovery password, you can feed it directly into BitLocker. In PowerShell, run:

    manage-bde -unlock E: -RecoveryPassword 123456-123456-123456-123456-123456-123456-123456-123456

    Replace E: with the actual drive letter assigned to the data volume, and replace the digits with the exact 48‑digit password from your file. That is the supported way to unlock using a recovery password.

    If instead the file contains an External Key ID but not the full recovery password, that ID is only a reference pointer. It tells you which recovery key file (.BEK) or record in Azure AD/Microsoft Account corresponds to that volume. You cannot unlock with the ID alone. You would need the actual .BEK file (commonly stored on a USB drive during setup) or the 48‑digit recovery password associated with that ID. Without the full key, Windows will not unlock the volume.

    So the immediate step is to confirm whether the numeric string you have is indeed the 48‑digit recovery password. If it is, use manage-bde as shown above. If it’s only an identifier, you’ll need to locate the corresponding recovery key file or check again in your organization’s Azure AD portal under Devices > BitLocker keys for that specific volume.

    There is no supported command to bypass BitLocker with just an ID. Either the recovery password or the external key file must be present. If you can’t locate the actual key, the data volume will remain inaccessible.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Domic Vo.

    0 comments
  2. Q&A Assist
    2026-03-20T12:06:59.2+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use the BitLocker command-line tools to unlock that secondary data volume with the credentials in the text file.

    Assumptions based on what is available:

    • The drive is attached to the workstation as, for example, D:.
    • The text file contains either:
      • a 48‑digit numeric recovery password, and/or
      • an External Key ID that corresponds to a .bek key file (recovery key) you have.

    1. Unlock with the 48‑digit numeric recovery password

    If the “numeric password” in the file is the standard 48‑digit BitLocker recovery password (8 groups of 6 digits separated by hyphens), use manage-bde directly:

    manage-bde.exe -unlock D: -recoverypassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

    Replace D: with the actual drive letter and the x groups with the exact 48‑digit value from the text file.

    If successful, the volume will unlock and be accessible in File Explorer. If needed, you can then turn BitLocker off or copy the data out immediately.

    2. Unlock with an external recovery key (.bek) file

    If the text file’s “External Key ID” corresponds to a BitLocker recovery key file you have (a .bek file, usually named like {GUID}.bek), use:

    manage-bde.exe -unlock D: -recoverykey E:\path\to\{protector_id}.bek

    Where:

    • D: is the BitLocker data volume.
    • E:\path\to\{protector_id}.bek is the full path to the .bek file on whatever drive holds it.

    3. If the drive is attached as a secondary disk and you prefer PowerShell

    If the workstation is running Windows with the BitLocker module available, PowerShell can also unlock with the recovery password:

    Unlock-BitLocker -MountPoint D -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

    Again, replace D and the password with the actual values.

    4. If the “numeric password” is not in 48‑digit recovery format

    BitLocker recovery via command line requires one of the supported protectors:

    • 48‑digit recovery password (-recoverypassword), or
    • recovery key file (.bek, via -recoverykey), or
    • a Data Recovery Agent certificate (-certificate) if configured in the environment.

    If the numeric value in the file is not a valid 48‑digit recovery password and there is no matching .bek file or DRA, it cannot be used to unlock the drive. BitLocker is designed so that without a valid recovery password, recovery key, or DRA, the data is not recoverable.

    Once the drive is unlocked, copy the required spreadsheets off immediately to a safe location.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.