Your Secure Boot Policy has changed, and correct BitLocker key does not unlock...

Benjamin Cornwell 1 Reputation point
2021-04-21T15:13:32.533+00:00

Hello all,

I have a set of systems that are not connected to the internet. A Windows 10 Media Creation tool with Windows 10 version 20H2 was used on each machine to upgrade it from 1809 to 20H2. This worked fine for all machines except one. The one machine prompts for BitLocker recovery key every time it boots, and even when entered correctly. it still does not boot.

The flow goes like this:

Boot -> Enter your BitLocker recovery key -> enter correct key -> Enter your BitLocker recovery key (slightly different page but same key ID, etc. -> Reboots.... -> Enter your BitLocker Recovery Key.

Its a never ending loop. I have tried to do an automatic repair, it could not be done. I tried to boot from the same media creation tool, and it can not do an in-place upgrade, without wiping the entire system, which is undesirable. Whenever I reboot, it continues to ask for the key, and entering the key does not unlock it. It says the because my Secure Boot Policy has changed, I must enter the key, and even though the key is 100% correct, it will not boot to Windows.

Please advise.

Thank you

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,384 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Teemo Tang 11,436 Reputation points
    2021-04-22T01:41:21.873+00:00

    Hello,

    Try following the instructions here: http://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx

    Choose the “Skip this drive” link at the bottom of the page where you are asked to enter the recovery key. You should be presented with a menu that will let you get to a command prompt (The sequence is Advanced options -> Troubleshoot -> Advanced options -> Command prompt).
    Once you have a command prompt, use the following command to check the BitLocker status of the C: drive:
    manage-bde -status c:
    If the status is returned as locked, you’ll need to use the following command to unlock it using your recovery password:
    manage-bde -unlock c: -rp <your 48-digit recovery password>
    Once the drive is unlocked you'll need to use the following command to suspend protection:
    manage-bde -protectors -disable c:
    Then exit and reboot. The computer should now successfully boot Windows. Once there, use the BitLocker control panel to resume BitLocker protection.

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.