Re: Windows 10 Asking For Bitlocker Recovery Key Every Reboot
Christal Rasband
I have a Win10 PC with Bitlocker protected OS drive C:, that has started to request the Bitlocker Recovery key be input upon cold boots, restarts, and resumes from hibernation even when no changes have been made to the hardware or to the selected UEFI boot device in-between. I have:
None of the above restores the Bitlocker behaviour to the normal operation it previously had (ie. to requirement for Recovery key input on C: only if dual-booting from an external drive). Is there another known solution to attempt ?
If not, am I left to assume that either (1) the TPM is faulty, or (2) some hardware/firmware component of the PC is mis-reporting its identity to TPM each boot, or (3) something is incorrectly writing to GPT every shutdown. Is there another possibility that might be causing this behaviour ?
Thanks, and 'yes'. The logged error event sequence is 24680, 24635 and 24636 - in summary, that Bitlocker fails to obtain the volume master key due to non-matching PCRs. I understand this to mean that the TPM calculates upon re-boot/resume that the PC's hardware profile has been changed since the previous boot/initialization. Clearly, in each case here it hasn't been but that is what the TPM calculates, so refuses Bitlocker the VMK.
My suggestions 1, 2 and 3 were those I could think of as to why this incorrect calculation might happen. ! and 2 would be hardware/firmware issues and not fixable by a clean re-install of Win10. I don't want to attempt that if it's likely not to be the solution.
I should have added originally that the local group policy settings for PCR are "not configured", which I understand to be recommended for Win10 so the OS when initializing TPM can define which components to include in the PCR.
I am way out of my understanding getting on here, but I too, have too put in that very long recovery key on every reboot, and at other odd times. I fully do not understand the BIOS update of where/how/what of that. Updates have been done, I don't make system changes and have, simply no idea why this thing is doing what this thing is doing. How do we turn this 48 number long code off for EVERY TIME I want to use my computer???????
Joedodger, in what you have written it is not clear whether you do want to use Bitlocker but find it is working incorrectly (ie. by requesting recovery key every boot) or whether you do not want to use Bitlocker.
Instead of entering your 48 digit key, press ESC, which takes you to another (similar) screen. At the new screen, enter the 48 digit key. This will alter the system and you'll never have to do it again.
I can confirm that Gray Strickland's suggestion worked for me. I had just replaced my laptop's main board, while keeping the same SSD, and bitlocker was asking for my recovery key on every boot. After entering the key in the "Press Esc for more recovery options" field, I no longer have to enter it on boot anymore. Also note that I am on Windows 11.
I too had this very same issue. What I discovered is that the Windows Boot Manager in the BIOS must be the first item in the Boot Order. The Windows Boot Manager scans for the Network Unlock. I can't explain it so maybe this link will provide the information some may want. -us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence
By "remove the TPM protector and re-add it" do you mean remove it from Win10 use via Device Manager (and if so, how to re-add ?) or do you mean remove from boot procedure by changing something in UEFI ?
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Have you managed to find a solution for this? Facing similar issues on some computers, starting the current month (March, 2021).
BitLocker event log warning in one of the affected machines: "BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries"
It did not work first time through without the third step - after step 6, the new installation (as made at step 4) did not require the Recovery Key but the restored image after step 7 still did. When performed a second time through adding in step 3, it worked correctly for both the re-installed system and the restored image. (It is possible the difference isn't step 3 but actually just to have repeated the other steps for some reason.)
BitLocker is an encryption function of the Windows Operating System 9OS). You may encounter an issue where BitLocker asks for a recovery key every time you boot up your computer. This issue has been found to occur on computers with USB Type-C and Thunderbolt 3 (TBT) ports.
BitLocker monitors the computer for changes to the boot configuration. When BitLocker sees a new device in the boot list or an attached external storage device, it prompts you for the key for security reasons. This is normal behavior.
This problem occurs because boot support for USB-C/TBT and Preboot for TBT are set to On by default. Turning these options off in the BIOS removes any USB-C/TBT devices from the boot list, and BitLocker does not see them.
Bitlocker encrypts fine but keeps asking for the recovery password every cold boot and most restarts. Pausing/resuming bitlocker only provides a temporary fix. The Elitbook is saying "secure boot policy has unexpetendly changed" and then askes for the recovery password.
Hi,
we changed the settings to legacy support enabled for our imaging process.
Apparently this does not work with these new devices so we had to revert our changes in:
Advanced -> Secure Boot Configuration -> Configure Legacy Support and Secure Boot -> "Legacy Support Disabled and Secure Boot Enable"
I have seen that other post, but this SSD is already using GPT partition style so I just followed the instrutions from Advance > secure boot > and "disable both legacy and secure boot".
neither worked.
I tried various combinations of turning off BitLocker, clearing TPM under Windows and BIOS, re-enabling BitLocker, factory reset plus all Windows Updates, HP Updates including BIOS, software installs etc before enabling BitLocker.
HP Support did ask if I could change a setting under Control Panel -> Manage BitLocker that I can't see on either laptop. That setting was "Change how drive is unlocked at startup", but I only have "Suspend Protection", "Back up your recovery key" and "Turn off BitLocker".
Could you clarify how you did this? from what I read, i was to first DECRYPT the bitlocked drive, then clear the TPM, but I' more wiling to chance it if i can just temporarily DISABLE bitlocker, before clearing the TPM.
Now, for you, the option to change how bitlocker unlocks, has to be done, i think, from the GPEDIT.MSC command. see my dropbox link, -Encrypting-Operating-system-drive-with-password-... , for where you have to navigate to. (I might have more detail if you need it).
The MAIN issue I have (see separate thread, posted today, on TPM, Security, and settings) - is that my TPM has had a couple errant PIN attempts, and I can't get it to allow more than one PIN attempt before it requires the bitlocker recovery key. I want to reset the TPM security, so that it can tolerate more errant attempts before locking down, and i want to also change the amount of time (lessen it) that the machine has to run, befure it (the TPM) resets itself.
If you're not connecting any devices and it keeps asking for the recovery key, it is because the boot support for Preboot for TBT and USB-C/TBT is turned on by default. Turn this off in BIOS to avoid being prompted for the recovery key.
Bitlocker encrypts your hard disk. If Bitlocker keeps asking for the recovery key in an abnormal way, it could be facing some sort of issue. But did you know what? We know what could help fix it. If you want to fix Bitlocker asking for a recovery key abnormally, continue reading!
And there are other reasons why you could be seeing the error, but these are the primary and most common reasons for you to see the error. But do you know what? We know how to fix it. Read on to find out how to stop Bitlocker from asking you for a recovery key and how to fix it.
If the BitLocker keeps asking for the recovery key, don't worry; I will show you how to fix this. I bring you 10 solid solutions that should fix this for you instantly. Continue reading to learn more!
Step 1. Open BitLocker and enter your recovery. If you are using Microsoft's Outlook account, the encryption of Bitlocker starts automatically. Go to and get your recovery key to enter.
The BIOS can also be the reason why Bitlocker keeps asking for a recovery key. BIOS, like any other program, can become corrupted or start performing poorly after a certain period of time, which is why it is necessary to update them frequently.
Bitlocker is an amazing way to encrypt your hard drive and protect your files from being accessed by unauthorized users. It can also break down like any other piece of software, and it can also be fixed.
I have Thinkpad X1 Carbon 7th Gen received from my organization. I have installed OpenSUSE
Tumbleweed dual boot with Windows 10. I was able to install it with Secure Boot on and everything
works fine so far. However when I boot into Windows, it asks for Bitlocker recovery key every time.
In BIOS I changed to boot settings to Windows as first. In that case, the problem solves and I dont have to enter recovery key many times. However I cannot access Linux (your suggestion is useful here).
d3342ee215