![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 96%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
If you're unable to access the device because of the BitLocker PIN and the Microsoft account password, you're in a tricky situation, but there are a few steps you can try to regain control. The first step is to see if you can retrieve the BitLocker recovery key. If the Surface was connected to a Microsoft account or Entra ID, there's a chance the BitLocker recovery key is stored in that account. If the terminated employee was using their own account, you might be able to check if the recovery key was saved in their Microsoft account (or the organization's admin account if it's tied to Entra ID). You can go to Microsoft's recovery key website (https://account.microsoft.com/devices/recoverykey) and log in with the admin account to check for the key.
If that route doesn’t work, or if the account credentials aren’t available, you can attempt to reset the device to factory settings. However, without access to the Microsoft account or BitLocker PIN, this can be challenging. For a Surface device, there are recovery options, like booting into recovery mode. To do this, turn off the Surface, then press and hold the Volume Up button while turning it back on. This should take you to the UEFI settings where you might be able to boot from a USB device that contains a recovery image. If you don't already have a recovery USB, you can create one using another working device with the Windows 10 or 11 recovery tool.
If you're able to boot into the recovery environment but still can't access the device due to the BitLocker pin, the only option left might be to erase the drive, which will completely wipe the data and remove all encryption, allowing you to reconfigure the device for the next user. If your organization has any IT support team or a service agreement with Microsoft, it might be worth reaching out to them for assistance as well. Keep in mind that wiping the device would remove all local data, so if that information is essential, you may want to consult with an IT professional who could attempt to extract or recover data first.
Lastly, as this device setup was done by a terminated employee, if you have any IT management tools like Microsoft Intune, you might be able to remotely reset or wipe the device. If the device is enrolled in Intune or another Mobile Device Management (MDM) system, you should have options to reset or remove the device from the system remotely.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin