This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 70%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
I have a Win10 PC with Bitlocker protected OS drive C:, that has started to request the Bitlocker Recovery key be input upon cold boots, restarts, and resumes from hibernation even when no changes have been made to the hardware or to the selected UEFI boot device in-between. I have:
None of the above restores the Bitlocker behaviour to the normal operation it previously had (ie. to requirement for Recovery key input on C: only if dual-booting from an external drive). Is there another known solution to attempt ?
If not, am I left to assume that either (1) the TPM is faulty, or (2) some hardware/firmware component of the PC is mis-reporting its identity to TPM each boot, or (3) something is incorrectly writing to GPT every shutdown. Is there another possibility that might be causing this behaviour ?
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Have you checked the event viewer for log files related to BitLocker?
Do you see any relevant logs there?
Thanks, and 'yes'. The logged error event sequence is 24680, 24635 and 24636 - in summary, that Bitlocker fails to obtain the volume master key due to non-matching PCRs. I understand this to mean that the TPM calculates upon re-boot/resume that the PC's hardware profile has been changed since the previous boot/initialization. Clearly, in each case here it hasn't been but that is what the TPM calculates, so refuses Bitlocker the VMK.
My suggestions 1, 2 and 3 were those I could think of as to why this incorrect calculation might happen. ! and 2 would be hardware/firmware issues and not fixable by a clean re-install of Win10. I don't want to attempt that if it's likely not to be the solution.
I should have added originally that the local group policy settings for PCR are "not configured", which I understand to be recommended for Win10 so the OS when initializing TPM can define which components to include in the PCR.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 12%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I am way out of my understanding getting on here, but I too, have too put in that very long recovery key on every reboot, and at other odd times. I fully do not understand the BIOS update of where/how/what of that. Updates have been done, I don't make system changes and have, simply no idea why this thing is doing what this thing is doing. How do we turn this 48 number long code off for EVERY TIME I want to use my computer???????
Please, someone, help this schmuck. Please.
Joedodger, in what you have written it is not clear whether you do want to use Bitlocker but find it is working incorrectly (ie. by requesting recovery key every boot) or whether you do not want to use Bitlocker.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 44%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Instead of entering your 48 digit key, press ESC, which takes you to another (similar) screen. At the new screen, enter the 48 digit key. This will alter the system and you'll never have to do it again.
Instead of entering your 48 digit key, press ESC, which takes you to another (similar) screen. At the new screen, enter the 48 digit key. This will alter the system and you'll never have to do it again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 73%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
I believe this is the right answer. At least it worked for me!. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEH%3C/text%3E%3C/svg%3E)
I can confirm that Gray Strickland's suggestion worked for me. I had just replaced my laptop's main board, while keeping the same SSD, and bitlocker was asking for my recovery key on every boot. After entering the key in the "Press Esc for more recovery options" field, I no longer have to enter it on boot anymore. Also note that I am on Windows 11.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 76%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Thx Gray Strickland it worked for me.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 94%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
I too had this very same issue. What I discovered is that the Windows Boot Manager in the BIOS must be the first item in the Boot Order. The Windows Boot Manager scans for the Network Unlock. I can't explain it so maybe this link will provide the information some may want. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 32%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
@Gray Strickland 's "fix" worked for a while, but now no longer does for me. :(
No, I am not talking about removing the TPM itself, but the bitlocker TPM protector.
You do it like this on an elevated command prompt:
manage-bde -protectors -delete C: -Type TPM
This assumes, you use TPM without a PIN, if you use it with PIN, use instead:
manage-bde -protectors -delete C: -TypeTPMAndPIN
Then re-add it:
manage-bde -protectors -add c: -tpm
(or manage-bde -protectors -add c: -TPMAndPIN)
Thanks, but that is already something I had tried and did not work.
Remove the TPM protector and re-add it again.
If that does not help, verify if the TPM is operating as TPM 2.0 and if yes, if the OS drive uses GPT partitioning (it has to, for TPM 2.0).
Thanks. Yes, it is TPM 2.0 and GPT on the OS drive.
By "remove the TPM protector and re-add it" do you mean remove it from Win10 use via Device Manager (and if so, how to re-add ?) or do you mean remove from boot procedure by changing something in UEFI ?
Hi,
Could you please tell us your model?
Here is a KB from Dell Support which might help, BitLocker Asks for a Recovery Key Every Boot on USB-C / Thunderbolt Systems When Docked or Undocked.
Update your system's BIOS before proceeding, as some BIOS updates have implemented a fix for this issue.
Before you update the BIOS, please Suspend BitLocker protection.
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
It's a Dynabook (Toshiba) Portege X30T-E rather than a Dell, unfortunately. The BIOS is up-to-date (last updated in November).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 75%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Have you managed to find a solution for this? Facing similar issues on some computers, starting the current month (March, 2021).
BitLocker event log warning in one of the affected machines: "BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries"
I resolved the issue with the following steps:
It did not work first time through without the third step - after step 6, the new installation (as made at step 4) did not require the Recovery Key but the restored image after step 7 still did. When performed a second time through adding in step 3, it worked correctly for both the re-installed system and the restored image. (It is possible the difference isn't step 3 but actually just to have repeated the other steps for some reason.)
Hope this helps in your case.