BitLocker recovery: known issues
This article describes common issues that may prevent BitLocker from behaving as expected when a drive is recovered, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
Note
In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see BitLocker key protectors.
Windows prompts for a non-existing BitLocker recovery password
Windows prompts for a BitLocker recovery password. However, a BitLocker recovery password wasn't configured.
Resolution for Windows prompts for a non-existing BitLocker recovery password
The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
What if BitLocker is enabled on a computer before the computer has joined the domain?
What happens if the backup initially fails? Will BitLocker retry the backup?
The recovery password for a laptop wasn't backed up, and the laptop is locked
Consider the following scenario:
The hard disk of a Windows 11 or Windows 10 laptop has to be recovered. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password wasn't backed up, and the usual user of the laptop isn't available to provide the password.
Resolution for the recovery password for a laptop wasn't backed up
You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see BitLocker Drive Encryption Provider.
In an elevated Command Prompt window, use the manage-bde.exe command to back up the information.
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
***cmd manage-bde.exe -protectors -adbackup C:
Note
BitLocker does not automatically manage this backup process.
Tablet devices don't support using manage-bde.exe -forcerecovery to test recovery mode
Consider the following scenario:
BitLocker recovery needs to be tested on a tablet or slate device by running the following command:
***cmd manage-bde.exe -forcerecovery
However, after entering the recovery password, the device can't start.
Cause of tablet devices don't support using manage-bde.exe -forcerecovery to test recovery mode
Important
Tablet devices do not support the manage-bde.exe -forcerecovery command.
This issue occurs because the Windows Boot Manager can't process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the manage-bde.exe -forcerecovery command deletes the TPM protectors on the hard disk. Therefore, WinRE can't reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
This behavior is by design for all versions of Windows.
Workaround for tablet devices don't support using manage-bde.exe -forcerecovery to test recovery mode
To resolve the restart loop, follow these steps:
On the BitLocker Recovery screen, select Skip this drive.
Select Troubleshoot > Advanced Options > Command Prompt.
In the Command Prompt window, run the following commands:
manage-bde.exe -unlock C: -rp <48-digit BitLocker recovery password> manage-bde.exe -protectors -disable C:Close the Command Prompt window.
Shut down the device.
Start the device. Windows should start as usual.
After installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
Consider the following scenario:
A Surface device has BitLocker drive encryption turned on. The firmware of the Surface's TPM is updated or an update that changes the signature of the system firmware is installed. For example, the Surface TPM (IFX) update is installed.
You experience one or more of the following symptoms on the Surface device:
At startup, the Surface device prompts for a BitLocker recovery password. The correct recovery password is entered, but Windows doesn't start up.
Startup progresses directly into the Surface device's Unified Extensible Firmware Interface (UEFI) settings.
The Surface device appears to be in an infinite restart loop.
Cause of after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure boot is turned off.
- PCR values have been explicitly defined, such as by group policy.
Devices that support Connected Standby (also known as InstantGO or Always On, Always Connected PCs), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see the BitLocker Group Policy Settings: About the Platform Configuration Register (PCR).
Resolution for after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
manage-bde.exe -protectors -get <OSDriveLetter>:
In this command, <OSDriveLetter> represents the drive letter of the operating system drive.
To resolve this issue and repair the device, follow these steps:
Step 1: Disable the TPM protectors on the boot drive
If a TPM or UEFI update has been installed and the Surface device can't start, even if the correct BitLocker recovery password has been entered, the ability to start can be restored by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
To use the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive, follow these steps:
Obtain the BitLocker recovery password from the Surface user's Microsoft.com account. If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune, contact the administrator for help.
Use another computer to download the Surface recovery image from Surface Recovery Image Download. Use the downloaded image to create a USB recovery drive.
Insert the USB Surface recovery image drive into the Surface device, and start the device.
When prompted, select the following items:
The operating system language.
The keyboard layout.
Select Troubleshoot > Advanced Options > Command Prompt.
In the Command Prompt window, run the following commands:
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>: manage-bde.exe -protectors -disable <DriveLetter>:where:
- <Password> is the BitLocker recovery password that was obtained in Step 1
- <DriveLetter> is the drive letter that is assigned to the operating system drive
Note
For more information about how to use this command, see manage-bde unlock.
Restart the computer.
When prompted, enter the BitLocker recovery password that was obtained in Step 1.
Note
After the TPM protectors are disabled, BitLocker drive encryption no longer protects the device. To re-enable BitLocker drive encryption, select Start, type Manage BitLocker, and then press Enter. Follow the steps to encrypt the drive.
Step 2: Use Surface BMR to recover data and reset the Surface device
To recover data from the Surface device if Windows doesn't start, follow steps 1 through 5 of the section Step 1: Disable the TPM protectors on the boot drive to get to a Command Prompt window. Once a Command Prompt window is open, follow these steps:
At the command prompt, run the following command:
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>:In this command, <Password> is the BitLocker recovery password that was obtained in Step 1 of the section Step 1: Disable the TPM protectors on the boot drive, and <DriveLetter> is the drive letter that is assigned to the operating system drive.
After the drive is unlocked, use the
copyorxcopy.execommand to copy the user data to another drive.Note
For more information about the these commands, see the Windows commands article.
To reset the device by using a Surface recovery image, follow the instructions in the article Creating and using a USB recovery drive for Surface.
Step 3: Restore the default PCR values
To prevent this issue from recurring, it's recommended to restore the default configuration of Secure Boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0In this command, <DriveLetter> is the letter that is assigned to the drive.
Restart the device, and then edit the UEFI settings to set the Secure Boot option to Microsoft Only.
Restart the device and sign into Windows.
Open an elevated PowerShell window and run the following PowerShell cmdlet:
Resume-BitLocker -MountPoint "<DriveLetter>:"
To reset the PCR settings on the TPM, follow these steps:
Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see BitLocker Group Policy settings.
Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0In this command, <DriveLetter> is the letter that is assigned to the drive.
Run the following PowerShell cmdlet:
Resume-BitLocker -MountPoint "<DriveLetter>:"
Step 4: Suspend BitLocker during TPM or UEFI firmware updates
You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying such updates.
Important
TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, the PowerShell cmdlet Suspend-BitLocker must be used and the Reboot Count parameter must be set to either of the following values:
2 or greater: This value sets the number of times the device will restart before BitLocker Device Encryption resumes. For example, setting the value to 2 will cause BitLocker to resume after the device restarts twice.
0: This value suspends BitLocker Drive Encryption indefinitely. To resume BitLocker, the PowerShell cmdlet Resume-BitLocker or another mechanism needs to be used to resume BitLocker protection.
To suspend BitLocker while installing TPM or UEFI firmware updates:
Open an elevated Windows PowerShell window and run the following PowerShell cmdlet:
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0In this PowerShell cmdlet, <DriveLetter> is the letter that is assigned to the drive.
Install the Surface device driver and firmware updates.
After installing the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following PowerShell cmdlet:
Resume-BitLocker -MountPoint "<DriveLetter>:"
Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
Consider the following scenario:
A device uses TPM 1.2 and runs Windows 10, version 1809. The device also uses Virtualization-based Security features such as Device Guard and Credential Guard. Every time the device is started, the device enters BitLocker Recovery mode and an error message similar to the following error message is displayed:
Recovery
Your PC/Device needs to be repaired. A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
Error code 0xc0210000
You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
Cause of Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
TPM 1.2 doesn't support Secure Launch. For more information, see System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines
For more information about this technology, see Windows Defender System Guard: How a hardware-based root of trust helps protect Windows
Resolution for Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
To resolve this issue, use one of the following two solutions:
- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
- Edit the Turn On Virtualization Based Security GPO to set Secure Launch Configuration to Disabled.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for