BitLocker is Windows built-in encryption mechanism that protects your system from unauthorized access and keeps your confidential data safe and secure. If BitLocker is enabled on your Windows PC, you may face a problem where BitLocker keeps asking for a Recovery key at startup.
When you activate BitLocker on your Windows 11/10 PC, a 48-digit unique password is generated which is used to access the Bitlocker-protected data. This password is known as the BitLocker recovery key. This key is not required during normal startups, but under certain circumstances (such as a hardware change, a crash, or a UEFI/TPM firmware update), Windows may prompt you to enter the recovery key.
BitLocker keeps asking for Recovery key at startup
If you know the recovery key, you will be able to boot into the OS through the BitLocker screen. If you don’t know the recovery key, you can find it in your Microsoft Account or your Azure Active Directory Account. If BitLocker keeps asking for Recovery key at startup even after multiple attempts of entering the correct key, you’re trapped in a recovery key loop. Follow these steps to get out of the BitLocker Recovery loop in Windows 11/10:
- Restart your PC.
- Open Command Prompt from BIOS/UEFI settings.
- Unlock your boot drive using BitLocker recovery password.
- Disable TPM protectors on your boot drive.
Let us see these in detail.
1] Restart your PC
Make sure you’ve restarted your PC at least once before proceeding further.
2] Open Command Prompt from BIOS/UEFI settings
On the Bitlocker screen, click on the Skip this drive link.
On the next screen, click on Troubleshoot. Then click on Advanced Options on the next screen that appears. Then click on Command Prompt under Advanced options.
3] Unlock your boot drive using BitLocker recovery password
In the elevated Command Prompt, type the following command and press the Enter key:
manage-bde –unlock <DriveLetter>: -recoverypassword 123456-123456-123456-123456-123456-123456-123456-123456
In the above command, <DriveLetter> is the letter assigned to the drive that stores your operating system. And 123456-123456-123456-123456-123456-123456-123456-123456 is your 48-digit BitLocker recovery password.
4] Disable TPM protectors on your boot drive
In the same Command Prompt window, type the following command and press the Enter key:
manage-bde -protectors -disable <DriveLetter>:
Exit the elevated Command Prompt.
The above command will disable the TPM (Trusted Platform Module) protectors on your boot drive. Once you disable TPM protectors, BitLocker encryption can no longer protect your device.
Restart PC and continue to boot into your Windows 11/10 OS.
Once you get out of the BitLocker recovery key loop, do not forget to reinforce BitLocker encryption on your device to prevent unauthorized access to your data.
Why does my Surface keep asking for the BitLocker recovery key?
When you install a UEFI or a TPM firmware update on a Surface device that has BitLocker encryption turned on, you may enter a BitLocker recovery key loop if your device TPM is configured to use PCR (Platform Configuration Register) values that are currently in use on the device, instead of the default values (PCR 7 & PCR 11) to which BitLocker binds. This happens when Secure Boot is turned off or PCR values are explicitly defined . You can enable Secure Boot and use the steps explained in this post to troubleshoot the issue.
How do I find my BitLocker recovery key?
The BitLocker recovery key is saved to your Microsoft Account by default. Though it may be backed up at several places before activating the BitLocker protection, depending on the choices that have been made during the activation process. Sign in to your Microsoft account to locate your recovery key. You may also access it using your organization’s Azure AD account or taking help from your system administrator.