![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 70%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
BitLocker is entering recovery on every startup because something in the boot configuration or TPM measurements no longer matches what BitLocker expects. After using the recovery key to boot, the protection needs to be reset so it stops asking every time.
Follow these steps after successfully unlocking with the recovery key:
- Identify why recovery is triggered
- Sign in to Windows.
- Open an elevated Command Prompt (Run as administrator).
- Run:
This shows which protection mode is configured (TPM, TPM+PIN, etc.).manage-bde.exe -status - Check Event Viewer for BitLocker-related events that indicate the cause (for example, boot file change, firmware/BIOS/UEFI update, Secure Boot change, TPM changes).
- Check PCR profile and configuration
- In the same elevated Command Prompt, run:
(replacemanage-bde.exe -protectors -get C:C:if the OS drive is different) - Confirm which PCRs are in use. On modern devices (especially Connected Standby-capable PCs and Surface), BitLocker should normally bind to PCR 7 (and PCR 11) with Secure Boot enabled. If custom PCRs were configured (for example, via Group Policy or Secure Boot disabled), that can cause repeated recovery after firmware or TPM changes.
- In the same elevated Command Prompt, run:
- Reset BitLocker validation profile
- After identifying and correcting the root cause (for example, re‑enabling Secure Boot, completing any pending firmware/TPM updates, or reverting unintended boot changes), reset BitLocker so it relearns the current good configuration:
- Open an elevated Command Prompt.
- Suspend BitLocker:
manage-bde -protectors -disable C: - Reboot the device once so it starts normally without recovery.
- Re‑enable BitLocker protectors:
manage-bde -protectors -enable C:
- After identifying and correcting the root cause (for example, re‑enabling Secure Boot, completing any pending firmware/TPM updates, or reverting unintended boot changes), reset BitLocker so it relearns the current good configuration:
- If recovery is due to a forgotten PIN
- If using TPM+PIN and the PIN was forgotten, use the recovery key to unlock, then while signed in:
- Open Control Panel → BitLocker Drive Encryption.
- Expand the OS drive and select Change PIN.
- Choose Reset a forgotten PIN, provide admin credentials if prompted.
- Set a new PIN and finish the wizard.
- This prevents repeated recovery due to an unknown PIN.
- If using TPM+PIN and the PIN was forgotten, use the recovery key to unlock, then while signed in:
- If the issue started after UEFI/TPM or firmware changes (common on Surface)
- Verify Secure Boot is enabled in UEFI and that the TPM is using the default PCR configuration (PCR 7 and 11). Surface and other Connected Standby devices must use PCR 7.
- If custom PCRs were set (for example, via Group Policy) or Secure Boot was disabled, restore them to defaults, then perform the suspend/resume steps above.
If, after correcting configuration and suspending/resuming BitLocker, the device still enters recovery at every boot, further investigation of firmware, TPM configuration, or potential malware/rootkit issues is required before re‑establishing BitLocker protection.
References:
