Bitlocker TPM only configuration still asks for recovery key

asked 2020-09-09T16:09:53.123+00:00
Alex McFarland 21 Reputation points


I am trying to setup BitLocker on Microsoft Surface Pro 3's and having a hard time. I want the surface to unlock automatically, I DO NOT want the user to have to enter a bitlocker reocvery key or anything like that, I want it to boot straight to Windows. It worked for the other surfaces, but this one constantly wants the recovery key to continue onto Windows. I'm not really sure why this is happening.

My GPO settings for BitLocker are defined as follows:

Thanks, Alex

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
5,904 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,132 questions
No comments
{count} votes

4 answers

Sort by: Most helpful
  1. answered 2020-09-09T17:49:20.45+00:00
    Bagitman 561 Reputation points

    You would expect Bitlocker to ask for the recovery key if you are using the combination TPM 2.0 + MBR formatting.
    With TPM 2.0, you need GPT formatting, else, the system will ask for the recovery key on each reboot.

    list disk

    to find out if your disks are GPT formatted or not (an "*" below GPT means that it's GPT formatted).

  2. answered 2020-09-09T21:05:09.073+00:00
    Bagitman 561 Reputation points

    The usual suspects that trigger recovery mode are:

    • updating the firmware/bios without first suspending bitlocker (windows update automatically distributes firmware updates for surface machines!)
    • changing boot settings like boot order or secure boot

    If that does not apply, you should succeed. If you don't, it's not about policies - those cannot be misconfigured.

    No comments

  3. answered 2020-09-10T03:22:15.747+00:00
    Joy Qiao 4,766 Reputation points Microsoft Employee


    I noticed you said the other Microsoft Surface devices work well, so please check if the specific device have same model with others, if they configured same group policy with others.

    Recovery key triggered might be caused by hardware changes, motherboard replacement, malware attack, Windows updates, hard drive crash, system crash, or the program believes the data might be under attack.
    So, disable antivirus software temporarily, update hardware driver, update system, disable Bitlocker and enable again, try to boot your computer into Clean Boot to check if the issue persists.

    We also could run the following command line to check and repair system file as administrator.
    DISM.exe /Online /Cleanup-image /Restorehealth

    There are some similar issue might be provide any hints for you.
    BitLocker Asks for a Recovery Key Every Boot on USB-C / Thunderbolt Systems When Docked or Undocked
    Laptop, Surface Book, BitLocker keeps asking for recovery key

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.



    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. answered 2020-09-16T12:31:04.24+00:00
    Alex McFarland 21 Reputation points


    Thank you for your replies, they have been really helpful.

    I did update the firmware/drivers on the Surface after configuring bitlocker, I think you are right about that causing some issues. Microsoft doesn't offer separate drivers, they seem to be all packaged up in one .msi and then there are some miscellanous firmware/TPM updates. I installed those updates including the TPM update after enabling bitlocker. Since bitlocker fails on these machines a lot, it's the first thing that I try to configure before other updates.

    I turned off bitlocker twice, or tried to, and it looks as if it just encrypting the device all over again. It says it's decrypting for a split second and then goes back to encrypting. Very frustrating to work with this on the Surface...

    The other surfaces that I did, some were the exact same model. I have the exact same settings on here. The surface books worked the best and these Pro 3's are the worst out of the two. I have had to wipe one of the Pros about 4 times before getting bitlocker to actually work right.

    I can see in my AV console that the key was revoked, login authentication was reset, so it should be good, but it's not. Still boots up asking for the key.
    I have to wipe this and unfortunately I was finished with the device, had all programs configured.

    I guess I will be wiping this surface to try and remove the grip that bitlocker has over this device.


    No comments