How to fix error 0xC0210000 (the BitLocker drive is locked)
This means BitLocker has locked the drive and the key needed to unlock it was not loaded, usually after an update or a firmware change. Enter your recovery key to get back in, then suspend BitLocker before the change that triggered it. Jump to your situation below or work through the methods in order.
By Neeraj Singh ~7 min Updated Jun 2026 95% found this helpful
Error message
BitLocker recovery. The key required to unlock the volume wasn't loaded correctly. Error code: 0xC0210000 (STATUS_FVE_LOCKED_VOLUME).
Summary
Error 0xC0210000 (STATUS_FVE_LOCKED_VOLUME) means your drive is encrypted with BitLocker and Windows could not load the key to unlock it, so the PC boots to the blue BitLocker recovery screen. It is most common after a Windows update, a BIOS or firmware update, a Secure Boot change or a TPM reset, all of which change the measurements BitLocker checks. The fix is to enter your 48-digit recovery key from aka.ms/myrecoverykey or your work account, get into Windows, then suspend BitLocker before you repeat the change that triggered it. If the drive itself is damaged you can unlock and repair it with manage-bde and repair-bde.
What this error means
Error 0xC0210000 is a BitLocker status, not a disk failure. Its full name is STATUS_FVE_LOCKED_VOLUME, and it means the volume is locked by BitLocker Drive Encryption and the key needed to unlock it was not loaded at boot. Windows seals that key to your firmware and TPM, so when something in that chain changes, BitLocker stops trusting the boot and asks for your recovery key instead.
It usually appears right after a Windows update, a BIOS or UEFI firmware update, a Secure Boot or TPM change, or on some PCs with Hyper-V or Virtualization Based Security enabled. Entering your 48-digit recovery key lets Windows start. To stop it returning on every boot, you suspend BitLocker before the change, then resume it once you are back in Windows.
Common causes
A Windows update, driver or security software change altered the boot measurements BitLocker checks.
A BIOS or UEFI firmware update reset the Secure Boot or TPM state.
Secure Boot was turned off or its keys were changed in firmware.
The TPM was cleared or reset, or the motherboard or CPU was swapped.
Hyper-V or Virtualization Based Security (Secure Launch) forces recovery on every boot on some builds.
The boot order changed or a new bootable device was attached at startup.
The BitLocker metadata or the drive itself is damaged.
Expert insight
“0xC0210000 frightens people because it looks like the drive is gone, but the data is fine and locked exactly as designed. Almost every time, the recovery key is sitting in the owner's Microsoft account at aka.ms/myrecoverykey. I enter the key, get into Windows, then find what changed, a firmware update or a Secure Boot toggle, and suspend BitLocker for one reboot so it does not lock again. The golden rule is simple, always suspend BitLocker before you touch the BIOS or TPM.”
Manager, Tech Support & Operations · 19+ years fixing Windows and system errors
✓ How to fix it
Method 1
Enter your 48-digit BitLocker recovery key
1At the blue BitLocker recovery screen, note the Recovery key ID shown. From a phone or another PC open aka.ms/myrecoverykey and sign in with your Microsoft account to find the matching 48-digit key.
2On a work or school PC the key is usually in your organisation account. Sign in to the work account portal, or ask your IT team to pull it from Azure AD / Entra ID, Intune or Active Directory.
3Type the 48-digit key at the recovery screen and press Enter. Windows unlocks and starts. If you have more than one key, match it by the Recovery key ID.
Method 2
Undo the update or change that triggered it
1If the error began right after an update, get into Windows with your key, or at the recovery screen choose Skip this drive then Troubleshoot > Advanced options.
2Use System Restore to roll back to a point before the change, or uninstall the most recent quality or driver update from Uninstall Updates.
3Reboot. With the change reversed, BitLocker trusts the boot again and stops asking for the key.
Method 3
Re-enable Secure Boot in UEFI
1A disabled or changed Secure Boot setting is a frequent trigger, sometimes shown as E_FVE_SECUREBOOT_DISABLED. Restart and enter UEFI or BIOS setup (often Del, F2, F10 or F12).
2In the Boot or Security section set Secure Boot back to Enabled, matching the state BitLocker was set up with. Save and exit.
3Let Windows boot. Enter the recovery key once if prompted, then it should start normally on later boots.
Method 4
Stop the recovery loop from WinRE
1If the PC asks for the key on every boot (common with Hyper-V or Virtualization Based Security on some builds), enter the key, then if prompted again choose Skip this drive to reach the recovery environment.
2Open Troubleshoot > Advanced options > Command Prompt, then unlock the OS drive and suspend its protectors. Replace the sample digits with your real 48-digit key:
3Type exit and choose Continue to boot into Windows. Fix the underlying trigger, then resume protection with Method 8.
Method 5
Suspend BitLocker before BIOS, firmware or TPM updates
1This both prevents 0xC0210000 and clears a pending-firmware lock. In Windows open Control Panel > System and Security > BitLocker Drive Encryption and choose Suspend protection, or run this in an admin terminal:
manage-bde -protectors -disable C: -rc 1
2The -rc 1 option suspends BitLocker for a single restart, so a firmware, BIOS or TPM update can complete without locking the drive.
3After the update finishes and Windows is back, BitLocker resumes on its own. Confirm with manage-bde -status.
Method 6
Check the BitLocker status and key protectors
1Open an admin terminal in Windows, or Command Prompt in the recovery environment, and check the drive:
manage-bde -status
2Confirm whether the volume reads Locked or Unlocked and that a recovery password protector exists. List the protectors with:
manage-bde -protectors -get C:
3If a recovery password is listed but you do not have the 48-digit value, retrieve it from your Microsoft or work account before going further.
Method 7
Repair a damaged BitLocker drive with repair-bde
1If the drive is corrupted and will not unlock even with the right key, the BitLocker Repair Tool can salvage data to a spare drive of equal or larger size. This overwrites the target drive, so back up anything on it first.
2Boot into the recovery environment or another Windows PC, open Command Prompt and run, where C: is the damaged drive and D: is the empty target:
3You can pass a key file with -rk, or a key package with -kp if the BitLocker metadata is damaged. Let it finish, then read the recovered data from D:.
Method 8
Resume BitLocker protection after the fix
1Suspending BitLocker leaves the drive unprotected, so turn it back on once the trigger is resolved. In an admin terminal run:
manage-bde -protectors -enable C:
2Confirm it reads Protection On with manage-bde -status.
3From now on, suspend BitLocker (Method 5) before any BIOS, firmware, TPM or Secure Boot change so 0xC0210000 does not return.
No recovery key anywhere? BitLocker is built so only the key holder can unlock the data. If the 48-digit key was never saved to a Microsoft account, a work account, a USB or a printout, no one, not even Microsoft, can recover it, and the only way back is to reset the drive, which erases everything. Always back up your recovery key to your Microsoft account before changing firmware or hardware.
Frequently asked questions
What does error 0xC0210000 mean?
It is STATUS_FVE_LOCKED_VOLUME. Your drive is encrypted with BitLocker and Windows could not load the key to unlock it, so the PC boots to the BitLocker recovery screen. Entering the 48-digit recovery key unlocks it and lets Windows start.
Where do I find my BitLocker recovery key?
For a personal PC, open aka.ms/myrecoverykey and sign in with your Microsoft account. For a work or school PC the key is in your organisation account, so check Azure AD or Entra ID, Intune or ask your IT team. It may also be on a printout or a USB file from when BitLocker was set up.
Why did 0xC0210000 appear after a Windows update?
Updates can change the boot measurements BitLocker checks, so it stops trusting the boot and asks for the recovery key. Enter the key to start Windows, then suspend BitLocker before installing major updates, firmware or BIOS changes.
Can I fix it without the recovery key?
No. Without the 48-digit recovery key or password the data cannot be unlocked, by design. If the key was never backed up to a Microsoft account, work account, USB or printout, the only option left is to reset the drive, which erases everything on it.
Will entering the recovery key delete my files?
No. The recovery key unlocks the drive and your files stay intact. Only resetting the drive, or repairing to another drive with repair-bde, involves data loss, so keep a backup before any repair step.
How do I stop it asking for the key on every boot?
Get into Windows, fix the trigger such as re-enabling Secure Boot, then suspend BitLocker for one restart with manage-bde -protectors -disable C: -rc 1 before rebooting. Resume protection afterwards with manage-bde -protectors -enable C:.
Still not working?
If none of the methods above get you back in, the drive may be physically failing or the key may genuinely be lost. Test the disk health, try the recovery key on another PC, and on a managed work device contact your administrator who can release the key from Azure AD or Intune. You can also submit your error to us for a tailored fix.
