BitLocker-recovery: known problems

• Article
• 12/04/2021
• 11 minutes to read

Was this page helpful?

Do you have additional feedback?

Your feedback will be sent to Microsoft – if you select the Submit button, your feedback will be used to improve Microsoft products and services. Privacy Policy.

Thanks.

In this article

This article describes common problems that could prevent BitLocker from behaving as expected when restoring a drive or that could cause BitLocker to start unexpectedly. The article provides guidance for solving these problems.

Note

In this article, “recovery password” refers to the 48-digit recovery password and “recovery key” refers to the 32-digit recovery key. For more information, see BitLocker Key Protection.

Windows requires-no-BitLocker-recovery password

Windows requires a BitLocker recovery password. However, a BitLocker recovery password has not been configured.

Resolution

The BitLocker and Active Directory Domain Services FAQ addresses situations that can produce this symptom and provides information on how to fix the problem:

The password was not backed up recovery for a laptop and the laptop is locked

You have a Windows 11 or Windows 10 Home laptop and you need to recover its hard drive. The disk was encrypted using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up and the usual laptop user is not available to provide the password.

Resolution

You can use one of the following methods to manually back up or synchronize an online client’s existing recovery information:

• Create a Windows Management Instrumentation (WMI) script to back up your information. For more information, see BitLocker Drive Encryption Provider.

• In an elevated Command Prompt window, use the manage-bde command to back up your information.

  For example, to back up all recovery information for drive C: in AD DS, open an elevated Command Prompt window and run the following command:

    manage-bde -protectors -adbackup C:
   

Note

BitLocker does not automatically manage this backup process.

Tablet-devices do not support use of manage- bde -forcerecovery to test the recovery mode

You have a tablet or slate device and are trying to test BitLocker recovery by running the following command:

  Manage-bde -forcerecovery
 

However, after entering the recovery password, the device cannot boot.

Cause

Important

Tablet devices do not support the manage-bde -forcerecovery command.

This problem occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of boot. If Boot Manager detects that the device is a tablet, it redirects the boot process to the Windows Recovery Environment (WinRE), which can process touch input.

If WindowsRE detects TPM protection on the hard drive, it performs a pcr reseal. However, the manage-bde -forcerecovery command deletes the TPM protection units on the hard drive. Therefore, WinRE cannot reseal PCRs. This error triggers an infinite BitLocker recovery loop and prevents Windows from starting.

This behavior is expected for all versions of Windows.

​​Workaround

To resolve the reboot loop, follow these steps:

1. On the BitLocker Recovery screen, select Forget this drive.

2. Select Troubleshoot from the command prompt & gt; of options & gt; advanced.

3. In the Command Prompt window, run the following commands:

     manage-bde –unlock C: -rp & lt; 48-digit BitLocker recovery password & gt;
   manage-bde -protectors -disable C:
   
    

4. Close the Command Prompt window.

5. Shut down the device.

6. Boot the device. Windows should start as usual.

After installing UEFI firmware updates o TPM on Surface, BitLocker prompts for the recovery password

You have a Surface device with BitLocker Drive Encryption enabled. You update the device TPM firmware or install an update that changes the system firmware signature. For example, install the Surface TPM (IFX) update.

You are experiencing one or more of the following symptoms on your Surface device:

• The BitLocker recovery password is prompted on startup. Enter the correct recovery password, but Windows won’t start.
• The boot proceeds directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
• The Surface device appears to be in an endless reboot loop.

Cause

This issue occurs if the Surface Device TPM is configured to use Platform Configuration Register (PCR) values ​​other than the PCR 7 and PCR 11 defaults. For example, the following settings can configure the TPM in this way:

• Secure boot disabled.
• PCR values ​​have been explicitly defined, for example by Group Policy.

Devices that support connected standby (also known as InstantGO or Always On, PC always connected), including Surface devices, must use PCR 7 of the TPM. In the default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are configured correctly. For more information, see “Understanding the Platform Registry (PCR)” in BitLocker Group Policy Settings ).

Resolution

To check the PCR values ​​in use on a device, open the command prompt window with elevated privileges and run the following command:

  manage-bde.exe -protectors -get & lt; OSDriveLetter & gt ;:
 

In this command & lt; OSDriveLetter & gt; represents the drive letter of the operating system drive.

To fix this and reset your device, please follow these steps.

Step 1: Disable the TPM protectors on the boot drive

If you have installed a TPM or UEFI update and the device cannot boot, even if you enter the correct BitLocker recovery password, you can reset the ability to start using the BitLocker recovery password and an image Recovery Tool to remove the TPM protectors from the boot drive.

To do this, do the following:

1. Obtain the BitLocker recovery password from your Microsoft.com account. If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact the administrator for assistance.

2. Use another computer to download the Surface recovery image from Download a recovery image for Surface. Use the downloaded image to create a USB recovery drive.

3. Insert the Surface USB Recovery Image Drive into your Surface device and boot the device.

4. When prompted, select the following:

   1. Language of the operating system.

   2. Keyboard layout.

5. Select Troubleshoot from the command prompt & gt; of options & gt; advanced.

6. In the Command Prompt window, run the following commands:

     manage-bde -unlock -recoverypassword & lt; Password & gt; & lt; DriveLetter & gt ;:
   manage-bde -protectors -disable & lt; DriveLetter & gt ;:
   
    

   In these commands, it is the BitLocker recovery password obtained in step 1 and the assigned drive letter & lt; Password & gt; & lt; DriveLetter & gt; to the operating system drive.

   Note

   For more information on how to use this command, see manage-bde: unlock .

7. Restart your computer.

8. When prompted, enter the BitLocker recovery password obtained in step 1.

Note

After disabling the TPM protections, BitLocker Drive Encryption no longer protects the device. To re-enable BitLocker Drive Encryption, select Start, type Manage BitLocker and then press ENTER. Follow the steps to encrypt your drive.

Step 2: Use Surface BMR to restore data and reset device

To restore data from your Surface device if Windows fails to start, follow steps 1 to 5 of step 1 to return to the Command Prompt window and then follow these steps:

1. At the command prompt, run the following command:

     manage-bde -unlock -recoverypassword & lt; Password & gt; & lt; DriveLetter & gt ;:
    

   In this command is the BitLocker recovery password obtained in step 1 of step 1 and the assigned drive letter & lt; Password & gt; to the system drive & lt; DriveLetter & gt; operational.

2. After unlocking the drive, use the copy command or xcopy to copy user data to another drive.

   Note

   For more information on these commands, see the Windows commands.

   section

3. To reset the device using a Surface recovery image, follow the instructions in the “How to reset Surface with USB recovery drive” section in Creating and using a USB recovery drive .

Step 3: restore the PCR-defaults

To prevent this problem from happening again, we recommend that you restore the default Secure Boot configuration and PCR values.

To enable Secure Boot on a Surface device, follow these steps:

1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window and run the following cmdlet:

     Suspend-BitLocker -MountPoint "& lt; DriveLetter & gt ;:" -RebootCount 0
    

   In this command, & lt; DriveLetter & gt; is the letter assigned to the drive.

2. Reboot the device and then change the BIOS to set the Secure Boot option to Microsoft only.

3. Restart your device.

4. Open an elevated PowerShell window and run the following cmdlet:

     Resume-BitLocker -MountPoint "& lt; DriveLetter & gt ;:"
    

To reset the PCR settings in the TPM, follow these steps:

1. Disable GPOs that configure pcr settings or remove the device from all groups that apply pcr settings.

   For more information, see Group Policy Settings for BitLocker .

2. Suspend BitLocker. To do this, open an elevated Windows PowerShell window and run the following cmdlet:

     Suspend-BitLocker -MountPoint "& lt; DriveLetter & gt ;:" -RebootCount 0
    

   where & lt; DriveLetter & gt; is the letter assigned to the drive.

3. Run the following cmdlet:

     Resume-BitLocker -MountPoint "& lt; DriveLetter & gt ;:"
    

Step 4: Suspend BitLocker during TPM or UEFI firmware updates

You can avoid this scenario when installing system firmware or TPM firmware updates by temporarily pausing BitLocker before applying those updates.

Important

TPM and UEFI firmware updates may require multiple reboots during installation. To keep BitLocker suspended during this process, you must use Suspend-BitLocker and set the Reboot Count parameter to one of the following values:

• 2 or higher: This value sets the number of device reboots before BitLocker Device Encryption resumes.
• 0 : This value suspends BitLocker Drive Encryption indefinitely, until you use Resume-BitLocker or some other mechanism to resume protection.

To suspend BitLocker while installing TPM or UEFI firmware updates:

1. Open an elevated Windows PowerShell window and run the following cmdlet:

     Suspend-BitLocker -MountPoint "& lt; DriveLetter & gt ;:" -RebootCount 0
   
    

   In this cmdlet & lt; DriveLetter & gt; is the letter assigned to the drive.

2. Install Surface Device Driver and Firmware Updates.

3. After installing the firmware updates, restart your computer, open an elevated PowerShell window and run the following cmdlet:

     Resume-BitLocker -MountPoint "& lt; DriveLetter & gt ;:"
    

To re-enable BitLocker Drive Encryption, select Start, type Manage BitLocker and then press ENTER. Follow the steps to encrypt your drive.

After installing an update on a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000

You have a device running Windows 11, Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Additionally, Hyper-V is enabled on the device. After installing an affected update and restarting the device, the device enters BitLocker recovery mode and displays error code 0xC0210000.

Workaround

If the device is already in this state, you can start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, do the following:

1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from the organization portal or from any location where the password was stored when BitLocker Drive Encryption was first enabled .

2. On the Restore screen, press ENTER. When prompted, enter your recovery password.

3. If the device boots into (WinRE) and asks you to enter the recovery password again, select Forget the drive .

4. Select Advanced options Resolution of the & gt; problems Options & gt; advanced & gt; commands .

5. In the Command Prompt window, run the following commands:

     Manage-bde -unlock c: -rp & lt; 48 digit numerical recovery password separated by “-“ in 6 digit group & gt;
   Manage-bde -protectors -disable c:
   exit
    

   These commands unlock the drive and suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.

   Note

   These commands suspend BitLocker for a device restart. The -rc 1 option works only within the operating system and not in the recovery environment.

6. Select Continue . Windows should start.

7. After Windows has started, open an elevated Command Prompt window and run the following command:

     Manage-bde -protectors -enable c:
    

Important

Unless you suspend BitLocker before booting the device, the problem returns.

To temporarily suspend BitLocker before restarting the device, open an elevated Command Prompt window and run the following command:

  Manage-bde -protectors -disable c: -rc 1
 

Resolution

To resolve this issue, install the appropriate update on the affected device:

• For Windows 10, version 1703 or Windows 11: July 9 2019- KB4507450 (OS Build 15063.1928)
• For Windows 11, Windows 10 version 1607 and Windows Server 2016: July 9 2019- KB4507460 (OS Build 14393.3085)

Credential Guard / Device Guard in TPM 1.2: BitLocker asks for the recovery password on every restart and returns error 0xC0210000

You have a device that uses TPM 1.2 and is running Windows 10, version 1809 or Windows 11. Additionally, the device uses virtualization-based security features such as Device Guard and Credential Guard . Each time the device boots, the device enters BitLocker recovery mode and displays error code 0xc0210000 and a message similar to the following.

Recovery

The PC / device needs to be reset.
Unable to access a required file because the BitLocker key was not loaded correctly.

Error code 0xc0210000

You will need to use the recovery tools. If you don’t have any installation media (such as a disk or USB device), please contact your PC administrator or PC / device manufacturer.

Cause

TPM 1.2 does not support secure boot. For more information, see System Guard Secure Boot and SMM Security: Requirements Fulfilled by System Guard-Enabled Computers

For more information on this technology, see Windows Defender System Guard: How A Hardware-Based Root of Trust Helps Secure Windows

Resolution

To fix this, do one of the following:

• Remove any device using TPM 1.2 from any group subject to Group Policy Objects (GPOs) that enforce Secure Boot.
• Change the Policy object of group Enable Virtualization Based Security to set Secure Boot Configuration to Disabled.