Bitlocker is a data encryption tool in Windows that’s used to encrypt drives. Encrypted drives can only be accessed with the correct key, which is released by the Trusted Platform Module (TPM) while booting.
The TPM only releases this key if the hardware and software profiles match the initial setup. If the profiles do not match, you are shown the Bitlocker recovery console, which asks for the recovery key. As long as the initial and current profiles don’t match, Bitlocker keeps asking for the recovery key.
Aside from this, changes in boot drive preferences, buggy BIOS, or incorrect configuration of the decryption key and Platform Configuration Register (PCR) settings are other possible reasons for this problem.
How to Fix Bitlocker Asking Recovery Key on Each Boot?
Suspending and Resuming Bitlocker before attempting to make hardware or firmware changes on the system will save you from the prompt asks for the recovery key.
If you’re unaware of the recovery key, you may get stuck within the Bitlocker recovery setup. To get past the setup in such a scenario, you can find your recovery key within yourMicrosoft accountusing any other computer to log in.
Update BIOS
The discussed problem was confirmed to be occurring due to buggy BIOS. In some cases, olderversions of BIOSwere found incompatible with the TPM hardware module. Motherboard manufacturers tend to resolve such bugs and incompatibilities with updates.
Therefore, you can tryupdating BIOSin order to fix the issue.
On many systems,specific OEM tools can be downloadedand used to ease this firmware updating process. Acer care center, Dell Support Assist, etc are some examples of OEM applications for the purpose.
Change BIOS Configuration
The USB Type-C and Thunderbolt cable connection havedefault boot support on BIOS.So, if you have connected any I/O device on your system using those cables, the BIOS is going to list it in the boot priority list and consider it as a change in system.
Bitlocker will automatically ask for the recovery key in order to log in. To fix it, Boot support for USB type-C and TBT cable can be disabled from BIOS unless really needed.
Re-enable Bitlocker
Sometimes, the saved hardware/software profile won’t get updated within the PCR of TPM. So, each boot would be flagged as change in hardware profile, requiring the recovery key to gain access.
Decrypting and then,encrypting the driveafterward fixes the temporary glitch. Normally, running themanage-bde –protectors –disable C:andmanage-bde –protectors –enable C:commands in admin-privileged Command Prompt would resolve the issue.
However, you may try changing BitLocker settings from the Group Policy Editor to ensure further resolution of the issue.
Step 1: Turn off Bitlocker
Step 2: Configure Group Policy
Now, you can turn on Bitlocker and expect to fix the issue.
Use Legacy BIOS
Many manufacturers have been pushing forwardsUEFI BIOS modeon their products regardless of the TPM model. Though UEFI works well with bothTPM 1.2 and TPM 2.0,sometimes the prior version shows compatibility issues with the latest UEFI mode. So, if that’s your case, you can switch to Legacy BIOS mode to check whether it solves the problem.
Disable Secure Boot
TheSecure Bootfeature is by default enabled by manufacturers to protect the device from booting up using any unauthorized hardware or software components. So, if it’s enabled, only components trusted by the system manufacturer will be given access.
The feature shows issues when many linux operating systems and not-so-popular GPUs are tried to run. To avoid problems with it, you may try to disable the secure boot feature from BIOS.
Scan for Malwares
Malwares are capable of affecting kernel level process in a system. They can manipulate default behavior of your computer, which counts as a system profile change under TPM scan. If such profile change occurs on every active session, the recovery key is required following each reboot.
You should routinelycheck for threats on your systemto be secure from the discussed issue and other security risks.
It will reboot your computer and take a while to perform a full scan followed by threat treatments.
Windows Update
Updating Windows would fix bugs and also solve TPM/Bitlocker compatibility issues of the current version. Sometimes, BIOS and other driver updates are also bundled along with theWindows update, which fixes various issues including the discussed one.
Considerresetting Windows Update Components, if you face any issues while updating.
If theproblem occurred after installing an Windows update,you can uninstall the update to roll back your computer to the last known stable point.
Solve TPM Problems
Regardless of the causes, the problem sums up as ‘TPM not releasing the decryption key’ during boot. The issue can also reside within the TPM itself and not all the above-mentioned ones. Outdated saved decryption keys, corrupt drivers, or defective modules are possible causes.
Clear TPM Key
If the saved keys within TPM are the wrong ones the device will show the discussed issue on every reboot.Clearing TPMwill remove the keys and also re-initialize Bitlocker from its default state to fix the problem.
Reinstall TPM Driver
Corrupt TPM drivers can also cause problems in the overall function of TPM. you may try reinstalling the driver to fix it.
The driver should reinstall shortly.
Replace TPM
If nothing Fixes this problem for you, odds are theTPM module hardware itself is faulty. In such a case, consider contacting support from manufacturers for TPM replacement.
