How to fix BitLocker always prompting for Recovery Key

Posted on Christian By Christian No Comments on How to fix BitLocker always prompting for Recovery Key
How-to-fix-BitLocker-always-prompting-for-Recovery-Key

In this article, we will discuss how to fix BitLocker always prompting for Recovery Key. Please see “How to fix you are not allowed to view this folder on SSRS: MBAM reports cannot be accessed because it could not load folder contents“, and How to Change the Lock Screen Wallpaper in Windows 11. BitLocker is an encryption function of the Windows Operating System. Encrypted drives can only be accessed with the correct key, which is released by the Trusted Platform Module (TPM) when the PC boots up.

Note: Most devices such as Dell do not require you to manually suspend or resume BitLocker when applying Windows or BIOS updates.

Also, see how to fix an error has occurred during report processing (rsProcessingAborted), how to Install Hadoop on Linux, and how to Disable BitLocker on Windows 10.

Reasons for BitLocker’s Frequent Recovery Mode Prompt?

You might encounter this issue where BitLocker asks for a recovery key every time you boot up your computer due to the reasons below. This issue is as a result of external factors and not related to BitLocker/MBAM itself.

Oftentimes, this issue is mostly common with USB-C/Thunderbolt devices when docked or undocked. or when you are having software or hardware issues on your device. Therefore, you must check your event logs to have this issue resolved correctly.

Note: BitLocker monitors the computer for changes to the boot configuration. Therefore, when it detects a new device in the boot list or an attached external storage device (USB etc.), this behavior (recovery mode prompt) could be prompted. for security reasons. This is normal behavior.

If the recovery key is needed after each start. Possible reasons for this are that wrong settings have been selected in the BIOS or an update has disabled the TPM. To fix this, adjust the BIOS settings.

Also, see How to Change BitLocker Password in Windows, how to Backup existing and new BitLocker Recovery Keys to Active Directory, and how to Fix no BitLocker Recovery tab in Active Directory.

Resolve irregular BitLocker Recovery Prompt

As mentioned, this problem is due to the wrong BIOS settings and examples of this are the boot support for “USB-C/TBT” and “Preboot for TBT” set to “On” by default.

Turning these options off in the BIOS removes any USB-C/TBT devices from the boot list, and BitLocker does not see them. Therefore, in this guide, you will learn the steps to prevent BitLocker from prompting for a recovery key upon booting up your USB type-C or Thunderbolt 3 computer while using a docking station.

Set the BIOS to Prevent BitLocker Recovery Key Prompts

Enter the BIOS by pressing “F2” or “F12” depending on your device at the boot screen.

Navigate to System Configuration, then USB Configuration. Then, set: POST Behavior -> Fastboot -> Thorough as shown below.

Fastboot-thorough
How to fix BitLocker always prompting for Recovery Key

Note: Depending on the computer type, these options may be in other locations. Therefore, disable USB Type-C or Thunderbolt 3 Boot support, and Disable UEFI Network Stack.

You can make the other changes as it applies to you. This solution should work in UEFI mode. For computers using legacy mode.

Once these changes are made, the computer should not prompt for the BitLocker key on every boot.

Other Reasons for BitLocker Recovery Prompt

Note: This topic has been discussed previously “Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery requests“. Since there are other reasons for recovery key prompts that this procedure may not resolve. You must refer to the Event Viewer to determine the root cause of the frequent restart.

From the event logs on a problematic device. You will see some entries as follows. This is why you must take a look at the Windows event Log as well.

  • Unexpected system shutdowns were recorded multiple times. This could be due to a malfunctioning hardware component.
  • The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

In addition to these entries, if there are power-related events. It is worth mentioning that, a depleted battery could also prompt the recovery mode. Therefore, the power cable should always be connected.

In theory, here are some possibilities that could cause this issue. You will have to check specifically to pinpoint what could have happened in your case.

- BIOS-related change or upgrade (wide-scope).
- Changes in the Platform Configuration Registers (PCRs) used by the TPM validation profile
- Failing the TPM self-test
- Attempting to change the boot order during the boot process with any of the hotkeys on the keyboard.
- A depleted battery could also prompt the recovery mode and also prevent BitLocker(MBAM) from encrypting the drive as you have reported in the past.

There are a lot of other issues but not limited to those mentioned above. In order to determine your specific use case. You should check the MBAM Client event logs in the location below.

Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM - Operational path.

See How to add one or more external displays with your Mac, and how to Fix the Thunderbolt application is not in use and can be safely uninstalled.

FAQs

Is it possible to fully decrypt the drives?

Yes, the drives can be accessed if the system admin grants you access to the BitLocker Applet via the Control Panel, Disk Context menu or via the PowerShell command. See How to correctly disable BitLocker on Windows Server

launch the Windows Control Panel and navigate to the BitLocker Drive Encryption, and disable BitLocker. Alternatively, you could use any of the following commands – PowerShell: Disable-BitLocker -MountPoint “C:” or via the Command Prompt: manage-bde -off C:

– To disable BitLocker for all Volumes:
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV

When do I need the recovery key?

The recovery key is only needed if the key is no longer stored in the TPM memory, so you don’t have to have it with you all the time.

Do I need to have sufficient Battery or have my Laptop connected to Power?

Please make sure that there is a sufficient power supply, else, MBAM encryption will not work.
Power Supply

Is TPM-only authentication mode recommended by Microsoft for BitLocker Encryption?

TPM-only authentication mode is not recommended because it is vulnerable to some kind of cold-boot attacks. See this link for more information. These attacks require that my laptop is still running when the attacker has sufficient access to it. People take this risk for the convenience. If you require increased protection, please use TPM + PIN. According to current knowledge, decryption is not possible without knowing the PIN.

I hope you found this blog post on how to fix BitLocker always prompting for Recovery Key helpful. Please let me know in the comment section if you have any questions.

5/5 - (1 vote)
Windows Tags:, , , , , ,

Related Posts

More Related Articles

Remove Bing Chat Button from Edge Sidebar How to Remove Bing Chat Button from Edge Sidebar Windows
OpenSSL on Windows How to Install OpenSSL on Windows Computers Windows
slide10 Add Dynamic Wallpaper controlled by time on Windows 10 and 11 Windows
Add or remove features fix dotnet framework issues Fix the request to add or remove features on the specified server failed Windows
vcx Fix Error code 0x4 Session disconnected: Your session ended because of an error, if this keeps happening, contact your system administrator Windows
Clear Saved Email Address in Microsoft Edge Clear Saved Email Address: Stop Microsoft Edge from remembering your email ID Windows

Leave a Reply