Turn off the need to enter BitLocker Recovery Key

Question

Not sure how to Turn off the need to enter BitLocker Recovery Key screen that comes up each time I turn on my laptop. Also, how do I fix this for good? Thanks

Answer 1

BitLocker was created to protect you in the event a thief steals your computer. Someone with physical possession of a computer can tamper with it in ways that a hacker cannot. When Windows detects tampering, it locks the computer with BitLocker.

Sometimes, without intending harm, computer users do things to their computers that trigger BitLocker. So the real solution for your situation is to think about changes you have made to your computer which could be triggering BitLocker, and undo those changes, if that's possible.

Here are some common events that cause a computer to enter BitLocker recovery mode when starting Windows. (This is not a complete list.)

• having the CD or DVD drive before the hard drive in the BIOS boot order
• upgrading Windows from a CD/DVD or a mounted ISO
• docking or undocking a portable computer
• making changes to the NTFS partition table on the disk
• making changes to the boot manager
• turning off, disabling, deactivating, or clearing the TPM
• upgrading the motherboard to a new one with a new TPM
• upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade
• moving a BitLocker-protected drive into a new computer

These are all things that a thief can do to break in to a computer.

Answer 2

Hello,

Open Command Prompt as Administrator and run the following commands in sequence:

manage-bde -protectors -disable C:

manage-bde -protectors -enable C:

Reset the BitLocker protection status to see if this resolves the issue.

If you need to completely turn off BitLocker:

Open Control Panel, select System and Security. Click BitLocker Drive Encryption to enter the management interface. Then click Turn Off BitLocker.

Answer 3

To stop the BitLocker Recovery Key screen from appearing at every startup, the underlying cause must be fixed and BitLocker must be able to unlock the drive normally again. The common triggers and fixes from the context are:

1. Enter the recovery key once and let Windows boot
   If Windows starts successfully after entering the recovery key, immediately install all latest Windows and (if applicable) device/firmware updates. This can prevent repeated recovery prompts caused by outdated firmware or boot components.
   On Surface devices, also install the latest Surface drivers and firmware as described in the Surface guidance.
2. Check for Secure Boot / firmware changes (Surface and similar devices)
   If the issue started after UEFI/TPM/Secure Boot changes or updates, BitLocker may detect a changed boot environment and go into recovery every time. On affected Surface devices, the documented workaround is:
   • Boot to Surface UEFI.
   • Go to Security > Secure Boot > Change Configuration.
   • Select Microsoft Only > OK.
   • Exit and restart.
   • Then, in Windows, suspend and resume BitLocker using the Suspend-BitLocker and Resume-BitLocker cmdlets so BitLocker relearns the current boot configuration.
     Also ensure any Group Policies that customize TPM PCR validation for BitLocker are disabled, then suspend and resume BitLocker again so it binds to the correct PCRs.
3. If you see “Too many PIN entry attempts”
   If the recovery screen appears because of too many failed BitLocker PIN attempts:
   • Enter the BitLocker recovery key when prompted, or
   • Wait until the TPM unlock period expires and then enter the correct PIN, or
   • As a last resort, unlock or turn off BitLocker from the recovery environment using manage-bde (this decrypts the drive and removes the need for BitLocker at startup):
     • At the BitLocker screen, press Esc for other recovery options.
     • Open Command Prompt.
     • To unlock the drive:
       manage-bde -unlock <DriveLetter>: -recoverypassword <Password>
       or
       manage-bde -unlock <DriveLetter>: -recoverykey <RecoveryKey>
     • To turn off BitLocker (permanently removes encryption and recovery prompts):
       manage-bde -off <DriveLetter>:
     • Wait until decryption is complete (manage-bde -status <DriveLetter>: shows Conversion Status: Fully Decrypted).
4. If Windows will not start even with the correct recovery key
   If entering the correct key still does not boot Windows (for example after firmware/TPM updates):
   • Boot into Windows Recovery Environment (WinRE) after failed boots.
   • Go to Troubleshoot > Advanced options > Command Prompt.
   • If prompted, enter the BitLocker recovery key.
   • Run the boot repair commands:
     • bootrec /scanos
     • bootrec /rebuildbcd
     • bootrec /fixmbr
     • bootrec /fixboot
   • Restart and check if Windows starts normally. If it does, update Windows and device firmware.
5. If the BitLocker key cannot be found
   If the recovery key is not available in any of the documented locations (Microsoft account, printout, USB, AD/Azure AD, MBAM, or from an organization’s IT), it cannot be retrieved by Microsoft or bypassed. BitLocker is designed so that without the key, the data cannot be accessed. In that case, the only way to “fix it for good” is to reset or clean-install Windows, which removes all data on the encrypted drive and eliminates the recovery prompt going forward.
6. Permanently removing the need for BitLocker at startup
   Once Windows is bootable and the recovery prompt is no longer appearing due to configuration issues, the need to enter a recovery key at startup can be removed by either:
   • Keeping BitLocker on but ensuring no further boot/firmware changes occur without first suspending BitLocker (so recovery is only triggered when something actually changes), or
   • Turning BitLocker off (manage-bde -off or via the BitLocker control panel) to decrypt the drive. This permanently removes encryption and any BitLocker recovery prompts, but also removes the protection BitLocker provides.

Because turning off BitLocker or changing Secure Boot/TPM settings lowers security, evaluate the risk before doing so and ensure backups exist.

---

References:

• Prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device
• Error after you enter a BitLocker PIN at Windows startup: Too many PIN entry attempts
• BitLocker recovery overview
• System crashes after you restart or wake up the computer in Windows 8.1 or Windows RT 8.1
• Surface turns on but is stuck on the Recovery screen
• Request for Assistance with BitLocker Recovery – Surface Pro 2 - Microsoft Q&A
• Unable to recover Bitlocker key and unable to reload Windows 11 - Microsoft Q&A
• Surface Pro 3 blocked - Microsoft Q&A