locked
How to stop BitLocker from asking for recovery key? RRS feed

  • Question

  • My C: drive has BitLocker encryption with a PIN set. Every reboot, it asks for the PIN, which is great. However, if any application was installed or startup options changed, it also asks for the tedious recovery key. Unfortunately, this is quite often. 

    How do I disable asking for the recovery key? (At least in these conditions). I understand this is less secure, but am happy with just the PIN check.

    UPDATE 8/24/18: I had ended up uninstalling BitLocker since, not only was it annoying, but it was also preventing me from installing one of the big Windows 10 updates.

    However, I recently discovered this line in in the BIOS Release Notes:

    "Fixed issue where system always prompts for a BitLocker recovery key after a reboot."

    I will be installing this BIOS update, then reinstalling BitLocker, to see if this addresses the problem. 

    • Edited by Denis.P Friday, August 24, 2018 11:10 PM
    Thursday, February 9, 2017 6:17 PM

All replies

  • Hi ,

    >> if any application was installed or startup options changed, it also asks for the tedious recovery key
    Yes, we will be asked for Recovery Key when some configurations changed. That is a default behavior. It is by design. Based on your situation, I suggest you temporary turn off Bitlocker before you change startup options. Then, turn on Bitlocker again after changing to work around this behavior.

    “Each time the computer starts, the TPM will check that the services you specified in the platform validation profile have not changed. If any of these services change while BitLocker Drive Encryption (BDE) protection remains on, the TPM will not release the encryption key to unlock the disk volume and the computer will enter into recovery mode.”

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 10, 2017 5:54 AM
  • Suspend (not turn off=decrypt!) bitlocker before you do lowlevel changes. Windows updates and software installations are not lowlevel changes unless they install new device firmware as well (not drivers,but firmware). Bios/UEFI changes mostly are lowlevel changes.
    Friday, February 10, 2017 4:43 PM
  • I don't believe this is a practical solution with the behavior I have. BitLocker is frequently is asking for a recovery key.  It seems to be related to when I install new software or change the startup programs.  I am not installing driver updates, firmware, or making BIOS changes. Considering the frequency with which I am installing or updating software, it is not practical to temporary turn off BitLocker. In fact, I can never predict when an installation will lead to BitLocker asking for a recovery key, so the solution will not work for me anyways.

    Assuming the information being provided to me in this thread, as to why it's asking for the recovery key, is correct, then I have two paths forward:

    A) Per my original question, how do I disable BitLocker asking for the recovery key entirely?  I would like it to continue asking for the PIN, but not the recovery key.

    B) How can I diagnose why BitLocker is asking for the recovery key?  Perhaps this can help me predict the triggering behavior.

    Thank you


    Saturday, February 18, 2017 10:41 PM
  • Hi Ronald,

    As I just put in my last post, it is asking for the recovery key even if I not installing new device firmware, or changing BIOS settings. I cannot predict when it will ask, but it definitely is asking even if I do not "do low level changes".  So what else can I do?

    thank you


    Saturday, February 18, 2017 10:42 PM
  • Hi Denis.

    I administer Bitlocker in our company for many years.

    The recovery key gets requested (here, on our about 80 computers) only when we

    -do bios updates

    -change bios config like boot order or toggle secure boot on/off

    -remove the hard drive and connect it to another machine

    -install firmware updates to parts of the mainboard

    --

    It never (not once) requested the recovery key after we

    -install software

    -install windows updates

    -change startup programs/services

    So what you see needs to be looked at. You will need to provide reproducible steps.

    And about your "how do I disable BitLocker asking for the recovery key entirely" - you can change what triggers recovery key requests, but since your state is abnormal already (at least if it is as you report it), you can't be sure it helps. But look at the policy nevertheless: https://www.windows-security.org/c79e2a07d97554cf75d6c94f5a4cb64a/configure-tpm-platform-validation-profile-for-native-uefi-firmware

    About "How can I diagnose why BitLocker is asking for the recovery key?" - is it logged? I am not so sure - please look at eventviewer ->Applications and Services Logs > Microsoft > Windows >Bitlocker

    Monday, February 20, 2017 7:37 AM
  • Hi Rick,

    This information is very useful.  I did review the eventviewer (the group is "BitLocker-API | Management").  

    * There are daily "Information" events that say this: "BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy."

    * There are periodic 3 event sets (once every few days, may coincide with Recovery Key prompt - have not confirmed):

    ** Information: "BitLocker successfully sealed a key to the TPM", "PCRs measured include [0,2,4,8,9,11]", "The source for these PCRs was: Group Policy."

    ** Warning: "BitLocker resealed boot settings to the TPM for volume C:"

    ** Information: "A trusted WIM file has been added for volume C:. The SHA-256 hash for of the WIM file is: ..."

    I admit I am a bit confused by the linked article. How do I know if my computer has a "compatible TPM", or if "BitLocker has already been turned on with TPM protection", if I have "a native UEFI firmware configuration",  or if I have a "Compatibility Service Module (CSM) enabled"?

    I did check the Group Policy page. They are all "Not configured" except:

    * Require additional authentication at startup = Enabled

    * Configure TPM platform validation profile for BIOS-based firmware = Enabled

    * Configure TPM platform validation profile for native UEFI firmware = Enabled

    I believe I enabled the first one to relate to when it was asking for the PIN.

    


    Tuesday, February 21, 2017 3:40 PM
  • Any resolution on this? I have a similar situation. One of out 350 PCs is having this very issue. It makes no sense to me what is going on with this. I have similar logs as posted.
    Tuesday, January 8, 2019 1:25 PM
  • For me, this was resolved through a BIOS update. 
    Tuesday, January 8, 2019 2:53 PM