Share via

BitLocker asking over and over for a recovery key

Damian Kowalik 0 Reputation points
2026-04-28T09:38:04.4066667+00:00

Hello there,

I have been experiencing issues with several laptops for over a week. BitLocker is prompting for the recovery key on every startup. This has been occurring daily when the devices are powered on.

It appears that BitLocker is requesting the recovery key due to an unexpected Secure Boot policy change, accompanied by the following error:

7_3_80000001_80000001_db_db_7_7351f...0376_769b...4ad2_1

The affected laptops have been checked and show the following status:

  • Secure Boot is enabled
  • No errors are shown under Security Processor troubleshooting
  • TPM protection status is On
  • TPM status is Ready for use
  • No TPM‑related error Event IDs are observed in Event Viewer

Could you please advise on the possible cause of this behaviour and the next steps for remediation?

Thank you.

Regards,

Damian

Windows for business | Windows Client for IT Pros | Devices and deployment | Recovery key
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Nguyen Tran 19,865 Reputation points Independent Advisor
    2026-04-28T10:23:25.0566667+00:00

    Hi Damian Kowalik,

    From your description, the most likely cause is a Secure Boot or firmware change that BitLocker interprets as a potential tampering event. Even if TPM shows as healthy and ready, BitLocker will trigger recovery if it detects unexpected changes in the boot configuration or Secure Boot policies. The error string you shared aligns with this type of mismatch.

    The first step is to confirm that the Secure Boot configuration is consistent across all affected laptops and that no recent firmware or BIOS updates introduced new keys or altered boot policies. If changes were made, re‑enabling BitLocker protection after clearing and re‑establishing the TPM ownership can help reset the baseline. Another option is to suspend BitLocker before applying firmware updates, then resume protection afterward to avoid repeated recovery prompts.

    You should also check Group Policy settings related to BitLocker, as certain policies can force recovery if they don’t match the current hardware state. Running manage-bde -status can provide additional insight into the protection state and whether BitLocker is detecting configuration mismatches.

    In short, the issue is usually tied to Secure Boot or firmware changes rather than TPM errors. Resetting the baseline by suspending and resuming BitLocker, or re‑establishing TPM ownership, often resolves the repeated recovery prompts.

    I hope this gives you a clear path forward. If you find this answer helpful, please consider clicking Accept Answer so others can benefit too.

    Jason.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-04-28T09:38:21.2933333+00:00

    The behavior is consistent with BitLocker entering recovery because the Secure Boot measurements in TPM PCR 7 no longer match what was recorded when the TPM protector was last updated.

    Key points from the scenario:

    • Error text indicates an unexpected Secure Boot policy change.
    • BitLocker uses TPM PCRs (especially PCR 7 on modern/Connected Standby devices) to validate Secure Boot state before automatically unlocking.
    • When the Secure Boot configuration or its measurements change unexpectedly, BitLocker cannot validate the boot chain and repeatedly falls back to recovery.

    From the BitLocker preboot recovery documentation:

    • E_FVE_SECUREBOOT_CHANGED is raised when the Secure Boot configuration unexpectedly changed and the boot configuration measured in PCR 7 changed. This can be due to:
      • An additional measurement now present that was not present when BitLocker last updated the TPM protector.
      • A missing measurement that was present before.
      • An expected event having a different measurement.
    • In this case, a BitLocker recovery method is required to unlock the device.

    Additionally, if the TPM protector is using PCRs beyond the default PCR 7 and PCR 11 (for example, due to custom Group Policy or Secure Boot being altered), firmware or Secure Boot–related changes can cause persistent recovery prompts. Devices that support Connected Standby must use PCR 7, and BitLocker in its default configuration binds to PCR 7 and PCR 11 when Secure Boot is correctly configured.

    Likely causes in this environment include:

    1. A Secure Boot configuration or certificate change (for example, Secure Boot DB/KEK updates, OEM firmware updates, or Secure Boot policy changes) that altered the PCR 7 measurements without BitLocker being suspended and resumed.
    2. Group Policy that explicitly configures non‑default PCRs for the TPM protector, causing BitLocker to be sensitive to additional firmware/boot changes.

    Recommended remediation steps:

    1. Verify the BitLocker TPM protector PCR profile on an affected device:
      • Run in an elevated Command Prompt: 
             manage-bde.exe -protectors -get <OSDriveLetter>:
      • Confirm which PCRs are in use. Default on modern devices is PCR 7 and PCR 11.
    2. Restore default Secure Boot and PCR configuration:
      • Ensure Secure Boot is enabled and configured to the standard vendor/Microsoft configuration (for example, on Surface devices, set Secure Boot to “Microsoft Only”).
      • Remove or adjust any Group Policy Objects that explicitly configure non‑default PCRs for BitLocker TPM protectors. See BitLocker Group Policy settings for details.
    3. Re‑seal BitLocker to the current Secure Boot state:
      • Suspend BitLocker on the OS volume, reboot once so the firmware/Secure Boot state is measured consistently, then resume BitLocker so the TPM protector is updated to the new PCR measurements. For example (PowerShell, elevated): 
             Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
      • Reboot the device, confirm it boots normally.
      • Then run: 
             Resume-BitLocker -MountPoint "<DriveLetter>:"
      • This updates the TPM protector with the current Secure Boot/PCR 7 measurements and should stop the repeated recovery prompts as long as Secure Boot configuration remains stable.
    4. For devices already stuck in recovery after a firmware/Secure Boot change:
      • Unlock using the recovery key.
      • Ensure Secure Boot is in the intended configuration.
      • Then perform the suspend/reboot/resume sequence above so BitLocker binds to the new, stable PCR measurements.

    If Secure Boot or firmware continues to change (for example, staged Secure Boot certificate updates applied over multiple reboots), BitLocker may enter recovery again until those changes are complete and BitLocker is re‑sealed to the final configuration.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.