After updating BIOS, system required BitLocker recovery key on every startup due to a protector error. Disabled BitLocker, now cannot reenable it.

Question

After updating BIOS, system required BitLocker recovery key on every startup due to a protector error. Disabled BitLocker, now cannot reenable it.

Rosalind 20

System details:

OS: Windows 11 Pro 25H2, build 26200.8117
CPU: AMD Ryzen 7 7800X3D
Motherboard: Gigabyte B650 AORUS Elite AX V2, BIOS F39
TPM?: Enabled, TPM Management says it is ready for use
Secure Boot?: Enabled
System Mode: User
BitLocker details: Full drive encryption of C: drive using new encryption method, no PIN

Issue:

Yesterday, I updated my computer's BIOS. Before doing so, I received a message about suspending BitLocker to avoid TPM issues, which I'm sure I did. I ran the update without issues, and when the computer rebooted, I entered in my BitLocker recovery key, which I have on previous occasions where I've updated the BIOS.

Later, I put the computer to sleep. When I came back and rebooted it, it required the recovery key again, which it hasn't done before. It did the same thing this morning, both on being booted up and on being awakened from sleep. I investigated and found this message:

IMG_20260406_135228_141

(My apologies if anything's unnecessarily obscured, I wasn't sure what counted as private details.)

I did some research and followed the steps in this thread. I checked the TPM status and secure boot settings, all of which seemed normal. I suspended and resumed BitLocker using the command prompts, and while suspending BitLocker temporarily solved the issue, resuming it caused it to start again. I checked the boot order and that the BIOS was fully up to date, and I checked the group policies and unchecked 'Allow BitLocker without a compatible TPM (requires a password or USB key at startup)' (Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at setup). Finally, I decided to disable BitLocker and reenable it.

When reenabling BitLocker, I chose full drive encryption using the new encryption method. It asked me to shut down the system so it could determine whether BitLocker could encrypt my drive. I did so. Upon rebooting, I received this message: IMG_20260406_141625_201

Evidently, there is some issue with the TPM that seems to have arisen as a result of the BIOS update, despite the fact that I suspended BitLocker as requested. However, I am not certain where to proceed from here, especially as TPM management says the TPM is ready to use. I recall that when I first built this computer, I had to go into the BIOS to customise the TPM, mainly to turn on Secure Boot and switch the system mode to user, and I also made a number of changes to group policies. But I don't know if this would have had an impact.

What would be best for me to do to fix this issue?

Thank you kindly for your help.

0 comments

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Lychee-Ng 17,350 Microsoft External Staff Moderator

Hi Rosalind,

BitLocker repeatedly asking for the recovery key after a BIOS update, and then refusing to re‑enable, likely points to a TPM trust‑chain break scenario. The TPM now still holds old PCR expectations from before the BIOS update, which the system cannot provide anymore. You need to reset the TPM so BitLocker can create a fresh trust relationship.

1 - Before touching TPM, confirm BitLocker is fully OFF

Open Command Prompt / PowerShell as Administrator
Run: manage-bde -status C: > make sure it’s Fully Decrypted

2 - Clear the TPM from Windows

Open Windows Security > Device security > Security processor details
Choose Security processor troubleshooting > Click Clear TPM > Confirm
If you’re warned about cryptographic reset, accept it and let system restart.

3 - Try setting up BitLocker again

After reboot, enter BIOS and confirm:
- TPM / fTPM is Enabled
- Secure Boot is Enabled
- Secure Boot Mode is Standard
- Boot mode > UEFI only
If everything is normal, boot into Windows.

In some cases, you might not see the option to clear TPM in Windows Security due to system blocks. Let me know if that happens and we will check out some more advanced options!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Rosalind 20

Hello, thank you for the quick response. Unfortunately, resetting the TPM did not work. I checked the BIOS to make sure Secure Boot was on, Secure Boot Mode is Standard, and I checked system information for the boot mode and the TPM management to ensure that the TPM is still ready to use. However, when I tried setting up BitLocker again, I received the same error as above.

I ran the -bde -status command again and received this message, I don't know if this helps.

ACTIONS REQUIRED:

ERROR: The hardware test failed with code 0x00000000. All key protectors
were removed.

      Possible reasons that the hardware test failed are:

      1. A USB flash drive with an external key file was not found.

      - Insert a USB flash drive with an external key file into the computer.
      - If this failure persists, the computer cannot read USB drives
        during boot. You may not be able to use external keys to unlock
        the OS volume during boot.

      2. The external key file on the USB flash drive was corrupt.

      - Try a different USB flash drive to store the external key file.

      3. The TPM is off.

      - To manage the Trusted Platform Module (TPM), use either the
        TPM Management MMC snap-in or the TPM Management PowerShell cmdlets.

      4. The TPM detected a change in OS boot components.

      - Remove any bootable CD or DVD from the computer.
      - If this failure persists, check that the latest firmware and BIOS
        upgrades are installed, and that the TPM is otherwise working properly.

      5. The provided PIN was incorrect.

      6. The TPM storage root key (SRK) has an incompatible authorization value.

      - To reset this value, run the TPM Initialization Wizard.

      ACTIONS REQUIRED:

      1. Resolve the hardware test failure above.
      2. Re-run the command to turn on BitLocker.

Lychee-Ng 17,350 Reputation points Microsoft External Staff Moderator

2026-04-07T14:21:24.22+00:00
Thanks for the updates, Rosalind.

Unfortunately, based on the repeated hardware test failed result and the fact that BitLocker removes all key protectors, there is not much left for us to do. It seems that BitLocker is unable to seal a new protector to the TPM after the BIOS update, and blocks encryption by design. Here are your final options to consider:

Try to re‑flash or roll back the BIOS: Enter BIOS and note the current version. Either re‑flash the same BIOS version or roll back to the previous stable BIOS.

Disclaimer: If you are going to modify BIOS Settings, please back up all your personal files first to ensure you do not lose data.

See if you can use BitLocker without TPM: Open gpedit.msc > go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Enable Require additional authentication at startup

Check Allow BitLocker without a compatible TPM

Reinstall Windows if BIOS rollback / re‑flash does not help and you require TPM‑based BitLocker

This is neither a misconfiguration nor a Windows bug that can be fixed with commands or policies anymore. The system, as it is now, cannot use TPM‑based BitLocker, unfortunately.
Rosalind 20 Reputation points

2026-04-07T20:57:13.84+00:00

Hello, I had an email saying you'd responded to this, but for some reason, I can't view the full comment. Is it okay if you resend it, please? Thank you. Edit: my apologies, I just saw the response. Please ignore!
Rosalind 20 Reputation points

2026-04-11T05:17:43.7533333+00:00

Hello again, I'm happy to report that updating the BIOS to the latest version fixed the issue! I've now reenabled BitLocker, and all seems to be working well. Thank you for the help!

Answer 2

The BIOS update has changed the boot/firmware measurements that BitLocker stores in the TPM (PCR values). As a result, the TPM can no longer release the key reliably, which is why recovery is triggered and why BitLocker now refuses to bind to the TPM when trying to turn it back on.

To restore a stable BitLocker/TPM configuration, follow these steps in order:

Verify which PCRs BitLocker is trying to use
Open an elevated Command Prompt and run:
```
   manage-bde -protectors -get %systemdrive%
```
On systems that use Secure Boot correctly, the PCR validation profile should show PCR 7, 11 (using Secure Boot for integrity validation). If it instead shows something like PCR 0, 2, 4, 11, BitLocker is not using Secure Boot correctly and is more sensitive to firmware changes.
Make sure Secure Boot is correctly configured
Since the issue started after a BIOS update, confirm in firmware setup that:
- Secure Boot is enabled.
- Secure Boot keys are correctly installed (many boards have an option to load factory/default keys).
  If Secure Boot is disabled or keys are missing, BitLocker cannot use PCR 7 and will fall back to other PCRs, which causes recovery after firmware changes.
If the TPM is in a locked or inconsistent state, reset it in firmware
If BitLocker still cannot enable after several attempts, treat the TPM as potentially locked or inconsistent:
- Reboot and enter the UEFI/BIOS setup.
- Disable the TPM in firmware, save changes, and boot into Windows once. In Windows, the TPM management console will show a message like “Compatible TPM cannot be found,” which is expected while it is disabled.
- Reboot again, enter UEFI/BIOS, and re‑enable the TPM.
- Boot back into Windows and try enabling BitLocker again.
If BitLocker/TPM preparation still fails after disabling and re‑enabling the TPM, the next step is to clear the TPM. Clearing removes existing TPM keys and can cause data loss on any drive still protected by those keys, so only do this after confirming that the system drive is decrypted and that no other data depends on the TPM. Then follow the guidance in “Troubleshoot the TPM: Clear all the keys from the TPM.”
Turn BitLocker back on and confirm the PCR profile
After the TPM is working and Secure Boot is correctly configured:
- Turn BitLocker on for the OS drive again.
- Once encryption is enabled, run again:
```
     manage-bde -protectors -get %systemdrive%
```
- Confirm that the PCR validation profile now shows PCR 7, 11, indicating that BitLocker is using Secure Boot for integrity validation. This configuration is required on modern systems and is more resilient to firmware updates.
Avoid future recovery loops after firmware changes
Any time firmware, boot configuration, or Secure Boot settings are changed, BitLocker may enter recovery. Suspending BitLocker before such changes is recommended, but if the TPM is not using PCR 7/11 or Secure Boot is misconfigured, recovery can still occur. Ensuring that Secure Boot is enabled and that BitLocker is bound to PCR 7/11 minimizes these issues.

If, after these steps, BitLocker still cannot be enabled and the TPM continues to fail to unlock the drive, this points to a persistent firmware/TPM issue on the motherboard. In that case, collect BitLocker events from Event Viewer under Application and Services Logs → Microsoft → Windows → BitLocker‑API → Management and contact the motherboard vendor with those logs for further diagnosis.

References:

Share via

After updating BIOS, system required BitLocker recovery key on every startup due to a protector error. Disabled BitLocker, now cannot reenable it.

1 additional answer

Your answer