How to fix BitLocker always prompting for Recovery Key

Posted on Christian By Christian No Comments on How to fix BitLocker always prompting for Recovery Key
How-to-fix-BitLocker-always-prompting-for-Recovery-Key

In this article, we will discuss how to fix BitLocker always prompting for Recovery Key. Please see “How to fix you are not allowed to view this folder on SSRS: MBAM reports cannot be accessed because it could not load folder contents“, and How to Change the Lock Screen Wallpaper in Windows 11. BitLocker is an encryption function of the Windows Operating System. Encrypted drives can only be accessed with the correct key, which is released by the Trusted Platform Module (TPM) when the PC boots up.

Note: Most devices such as Dell do not require you to manually suspend or resume BitLocker when applying Windows or BIOS updates.

Also, see how to fix an error has occurred during report processing (rsProcessingAborted), how to Install Hadoop on Linux, and how to Disable BitLocker on Windows 10.

Reasons for BitLocker’s Frequent Recovery Mode Prompt?

You might encounter this issue where BitLocker asks for a recovery key every time you boot up your computer due to the reasons below. This issue is as a result of external factors and not related to BitLocker/MBAM itself.

Oftentimes, this issue is mostly common with USB-C/Thunderbolt devices when docked or undocked. or when you are having software or hardware issues on your device. Therefore, you must check your event logs to have this issue resolved correctly.

Note: BitLocker monitors the computer for changes to the boot configuration. Therefore, when it detects a new device in the boot list or an attached external storage device (USB etc.), this behavior (recovery mode prompt) could be prompted. for security reasons. This is normal behavior.

If the recovery key is needed after each start. Possible reasons for this are that wrong settings have been selected in the BIOS or an update has disabled the TPM. To fix this, adjust the BIOS settings.

Also, see How to Change BitLocker Password in Windows, how to Backup existing and new BitLocker Recovery Keys to Active Directory, and how to Fix no BitLocker Recovery tab in Active Directory.

Resolve irregular BitLocker Recovery Prompt

As mentioned, this problem is due to the wrong BIOS settings and examples of this are the boot support for “USB-C/TBT” and “Preboot for TBT” set to “On” by default.

Turning these options off in the BIOS removes any USB-C/TBT devices from the boot list, and BitLocker does not see them. Therefore, in this guide, you will learn the steps to prevent BitLocker from prompting for a recovery key upon booting up your USB type-C or Thunderbolt 3 computer while using a docking station.

Set the BIOS to Prevent BitLocker Recovery Key Prompts

Enter the BIOS by pressing “F2” or “F12” depending on your device at the boot screen.

Navigate to System Configuration, then USB Configuration. Then, set: POST Behavior -> Fastboot -> Thorough as shown below.

Fastboot-thorough
How to fix BitLocker always prompting for Recovery Key

Note: Depending on the computer type, these options may be in other locations. Therefore, disable USB Type-C or Thunderbolt 3 Boot support, and Disable UEFI Network Stack.

You can make the other changes as it applies to you. This solution should work in UEFI mode. For computers using legacy mode.

Once these changes are made, the computer should not prompt for the BitLocker key on every boot.

Other Reasons for BitLocker Recovery Prompt

Note: This topic has been discussed previously “Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery requests“. Since there are other reasons for recovery key prompts that this procedure may not resolve. You must refer to the Event Viewer to determine the root cause of the frequent restart.

From the event logs on a problematic device. You will see some entries as follows. This is why you must take a look at the Windows event Log as well.

  • Unexpected system shutdowns were recorded multiple times. This could be due to a malfunctioning hardware component.
  • The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

In addition to these entries, if there are power-related events. It is worth mentioning that, a depleted battery could also prompt the recovery mode. Therefore, the power cable should always be connected.

In theory, here are some possibilities that could cause this issue. You will have to check specifically to pinpoint what could have happened in your case.

- BIOS-related change or upgrade (wide-scope).
- Changes in the Platform Configuration Registers (PCRs) used by the TPM validation profile
- Failing the TPM self-test
- Attempting to change the boot order during the boot process with any of the hotkeys on the keyboard.
- A depleted battery could also prompt the recovery mode and also prevent BitLocker(MBAM) from encrypting the drive as you have reported in the past.

There are a lot of other issues but not limited to those mentioned above. In order to determine your specific use case. You should check the MBAM Client event logs in the location below.

Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM - Operational path.

See How to add one or more external displays with your Mac, and how to Fix the Thunderbolt application is not in use and can be safely uninstalled.

FAQs

Is it possible to fully decrypt the drives?

Yes, the drives can be accessed if the system admin grants you access to the BitLocker Applet via the Control Panel, Disk Context menu or via the PowerShell command. See How to correctly disable BitLocker on Windows Server

launch the Windows Control Panel and navigate to the BitLocker Drive Encryption, and disable BitLocker. Alternatively, you could use any of the following commands – PowerShell: Disable-BitLocker -MountPoint “C:” or via the Command Prompt: manage-bde -off C:

– To disable BitLocker for all Volumes:
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV

When do I need the recovery key?

The recovery key is only needed if the key is no longer stored in the TPM memory, so you don’t have to have it with you all the time.

Do I need to have sufficient Battery or have my Laptop connected to Power?

Please make sure that there is a sufficient power supply, else, MBAM encryption will not work.
Power Supply

Is TPM-only authentication mode recommended by Microsoft for BitLocker Encryption?

TPM-only authentication mode is not recommended because it is vulnerable to some kind of cold-boot attacks. See this link for more information. These attacks require that my laptop is still running when the attacker has sufficient access to it. People take this risk for the convenience. If you require increased protection, please use TPM + PIN. According to current knowledge, decryption is not possible without knowing the PIN.

I hope you found this blog post on how to fix BitLocker always prompting for Recovery Key helpful. Please let me know in the comment section if you have any questions.

5/5 - (1 vote)
Windows Tags:, , , , , ,

Related Posts

More Related Articles

Reset folder view settings on File Explorer for Windows 11 and 10 Reset folder view settings on File Explorer for Windows 11 and 10 Windows
Screenshot 2022 04 02 at 22.17.10 How to Install Kubectl on Windows 11 Windows
Use PowerShell to View and Change BIOS Settings Use PowerShell to View and Change BIOS Settings Windows
WIinG Capture and Record your Screen in Windows 10 with Xbox Game Bar Windows
Fix Boot Failed UEFI SCSI Device on HyperV How to Fix Boot Failed UEFI SCSI Device on HyperV Virtualization
The evolution of Windows authentication NTLM to Keberos Bidding Farewell to NTLM in favour of Kerberos Windows

Leave a Reply