Bitlocker recovery loop on startup

Question

Bitlocker recovery key needed each time I try to start the laptop.

Answer 1

You can type cmd in the search on the taskbar, make sure you use "run as administrator" to launch Command Prompt, then run this command:

manage-bde -off C:

Let it run through. When it is done, the command prompt will return to the new row. Then you can run this command to verify status:

manage-bde -status

If you still want to use it, go to Control Panel > Bitlocker and enable it again. Then go to your account to make sure the key is properly saved.

https://account.microsoft.com/devices/recoverykey

Answer 2

BitLocker is entering recovery on every startup because something in the boot configuration or TPM measurements no longer matches what BitLocker expects. After using the recovery key to boot, the protection needs to be reset so it stops asking every time.

Follow these steps after successfully unlocking with the recovery key:

1. Identify why recovery is triggered
   • Sign in to Windows.
   • Open an elevated Command Prompt (Run as administrator).
   • Run:

          manage-bde.exe -status
     

     This shows which protection mode is configured (TPM, TPM+PIN, etc.).
   • Check Event Viewer for BitLocker-related events that indicate the cause (for example, boot file change, firmware/BIOS/UEFI update, Secure Boot change, TPM changes).
2. Check PCR profile and configuration
   • In the same elevated Command Prompt, run:

          manage-bde.exe -protectors -get C:
     

     (replace C: if the OS drive is different)
   • Confirm which PCRs are in use. On modern devices (especially Connected Standby-capable PCs and Surface), BitLocker should normally bind to PCR 7 (and PCR 11) with Secure Boot enabled. If custom PCRs were configured (for example, via Group Policy or Secure Boot disabled), that can cause repeated recovery after firmware or TPM changes.
3. Reset BitLocker validation profile
   • After identifying and correcting the root cause (for example, re‑enabling Secure Boot, completing any pending firmware/TPM updates, or reverting unintended boot changes), reset BitLocker so it relearns the current good configuration:
     1. Open an elevated Command Prompt.
     2. Suspend BitLocker:

                manage-bde -protectors -disable C:
        

     3. Reboot the device once so it starts normally without recovery.
     4. Re‑enable BitLocker protectors:

                manage-bde -protectors -enable C:
        

     Suspending and then resuming BitLocker resets the validation profile so it should no longer prompt for recovery at every startup, assuming the underlying cause is resolved.
4. If recovery is due to a forgotten PIN
   • If using TPM+PIN and the PIN was forgotten, use the recovery key to unlock, then while signed in:
     1. Open Control Panel → BitLocker Drive Encryption.
     2. Expand the OS drive and select Change PIN.
     3. Choose Reset a forgotten PIN, provide admin credentials if prompted.
     4. Set a new PIN and finish the wizard.
   • This prevents repeated recovery due to an unknown PIN.
5. If the issue started after UEFI/TPM or firmware changes (common on Surface)
   • Verify Secure Boot is enabled in UEFI and that the TPM is using the default PCR configuration (PCR 7 and 11). Surface and other Connected Standby devices must use PCR 7.
   • If custom PCRs were set (for example, via Group Policy) or Secure Boot was disabled, restore them to defaults, then perform the suspend/resume steps above.

If, after correcting configuration and suspending/resuming BitLocker, the device still enters recovery at every boot, further investigation of firmware, TPM configuration, or potential malware/rootkit issues is required before re‑establishing BitLocker protection.

---

References:

• BitLocker recovery: known issues
• BitLocker recovery process
• Windows devices for home users, businesses, and schools with Microsoft-managed updates